## Critical Volume Deletion Flaw Found in deleteViaEphemeral: Entire /configs Mount Wiped Regardless of FilePath
A critical scope vulnerability has been identified in the `deleteViaEphemeral` utility function, classified under F1085 and mapped to CWE-78 and CWE-22. The flaw causes the function to delete the entire `/configs` volume mount rather than scoped individual files, representing a severe data destruction risk for any system relying on this code path.

The root cause lies in the original two-argument rm invocation: `["rm", "-rf", "/configs", filePath]`. The rm command interprets `/configs` as the target directory and ignores the `filePath` argument entirely, executing `rm -rf /configs` unconditionally. This means any call to `deleteViaEphemeral` — regardless of the intended file target — permanently destroys all data within the volume mount. The fix restructures the argument as `["rm", "-rf", "/configs/" + filePath]`, passing a single scoped path so rm resolves the deletion target inside the volume rather than targeting the mount point itself.

The patch includes comprehensive test coverage with 14 path traversal cases validated through `TestValidateRelPath` and source-level assertions via `TestDeleteViaEphemeral_ConcatFormDocs`. The CI pipeline reports passing results on E2E API smoke tests and static analyzers, though a pre-existing failure in org-token sqlmock testing was excluded from the validation scope. Organizations using this function are advised to confirm their deployments have applied the corrected argument-concatenation form immediately, as the vulnerability permits unauthorized full-volume deletion through a seemingly targeted file operation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CWE-78, CWE-22, F1085, security-vulnerability, volume-deletion
- **Credibility**: unverified
- **Published**: 2026-04-22 23:54:11
- **ID**: 76128
- **URL**: https://whisperx.ai/en/intel/76128