Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Google Clasp on Your Machine Can Run Malicious Code
GHSA-hqjg-pww4-pcgq
CVE-2026-4092
GHSA-hqjg-pww4-pcgq
Summary
Using Google Clasp, an attacker can make it run unauthorized code on your computer. This can happen if you download scripts from untrusted sources or if Clasp modifies files outside of your project. To stay safe, only download scripts from trusted sources and verify what files Clasp is changing.
What to do
- Update google clasp to version 3.2.0.
- Update google @google/clasp to version 3.2.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| clasp | <= 3.2.0 | 3.2.0 | |
| @google/clasp | <= 3.2.0 | 3.2.0 |
Original title
@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script
Original description
### Impact
Allows an attacker to perform a "Path Traversal" attack to modify files outside the projects directory, potentially allowing for running attacker code on the developer's machine.
### Patches
Fixed in version 3.2.0
### Workarounds
* Only clone or pull scripts from trusted sources
* Review the output of the `pull` and `clone` commands to verify only expected project files are modified
Allows an attacker to perform a "Path Traversal" attack to modify files outside the projects directory, potentially allowing for running attacker code on the developer's machine.
### Patches
Fixed in version 3.2.0
### Workarounds
* Only clone or pull scripts from trusted sources
* Review the output of the `pull` and `clone` commands to verify only expected project files are modified
ghsa CVSS4.0
8.7
Vulnerability type
CWE-22
Path Traversal
- https://nvd.nist.gov/vuln/detail/CVE-2026-4092
- https://github.com/google/clasp/security/advisories/GHSA-hqjg-pww4-pcgq
- https://github.com/google/clasp/pull/1109
- https://github.com/google/clasp/commit/ba6bd666fe74de54950122b5d92ecf1dcc02a9d3
- https://github.com/google/clasp/releases/tag/v3.2.0
- https://github.com/advisories/GHSA-hqjg-pww4-pcgq
- https://github.com/google/clasp Product
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026