This vulnerability (CWE-22) in vertex-app's vertex product involves improper limitation of a pathname to a restricted directory, commonly known as path traversal. It affects all versions before the commit fbde301b97986d5913fc4bc95f5445750d282e11. Exploiting this flaw could allow an attacker to access files outside the intended directory scope. The CVSS v3.1 base score is 8.6, indicating high severity with network attack vector, low attack complexity, no privileges or user interaction required, and impacts confidentiality, integrity, and availability. The vendor has addressed the issue in the commit mentioned, and upgrading to this version or later mitigates the vulnerability.

Successful exploitation could lead to unauthorized reading of sensitive files (high confidentiality impact), limited modification of data (low integrity impact), and partial denial of service (low availability impact). The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. However, no active exploits have been reported so far.

Users should upgrade vertex to the version containing commit fbde301b97986d5913fc4bc95f5445750d282e11 or later to apply the official patch. Since this is not a cloud service, remediation depends on user action to update the software. Patch status is confirmed by the vendor's commit reference. No alternative mitigations are indicated.