CVE-2026-55629 in Whistleinfo

Summary

by MITRE • 07/16/2026

Whistle is an HTTP, HTTP2, HTTPS, and WebSocket debugging proxy. Prior to 2.10.3, lib/service/service.js handles GET /cgi-bin/temp/get by reading req.query.filename, joining it to TEMP_FILES_PATH only when it matches the temporary file pattern, and otherwise passing the user-supplied filename directly to getFile, allowing a remote attacker to read arbitrary files such as /etc/passwd. This issue is reported as fixed in version 2.10.3.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability exists within the Whistle debugging proxy software, specifically in the service handling mechanism that processes requests to the /cgi-bin/temp/get endpoint. This flaw represents a classic path traversal vulnerability where the application fails to properly validate user input before constructing file paths for access operations. The affected component lib/service/service.js demonstrates inadequate sanitization of the filename parameter extracted from HTTP query strings, creating a significant security risk that can be exploited remotely without authentication.

The technical implementation of this vulnerability stems from improper input validation logic within the service handler. When processing GET requests to /cgi-bin/temp/get, the application reads the filename parameter from req.query.filename and applies a conditional check against a temporary file pattern before joining it with TEMP_FILES_PATH. However, when the filename fails this pattern validation, the system directly passes the user-supplied value to the getFile function without additional sanitization or path validation. This design flaw allows attackers to bypass intended security boundaries and construct malicious file paths that can access arbitrary files on the server filesystem.

The operational impact of this vulnerability is severe as it enables remote file inclusion attacks that can potentially expose sensitive system information, configuration files, and application data. Attackers can leverage this weakness to read critical system files such as /etc/passwd which contains user account information, or other sensitive resources that may contain database credentials, application secrets, or internal network configurations. The vulnerability affects all versions prior to 2.10.3 and represents a directory traversal issue classified under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory. This weakness can be mapped to ATT&CK technique T1083 (File and Directory Discovery) as attackers can systematically enumerate and access files beyond the intended scope.

The fix implemented in version 2.10.3 addresses this vulnerability by ensuring proper input validation and sanitization of all user-supplied filenames before they are processed for file access operations. This remediation aligns with security best practices that mandate input validation, output encoding, and principle of least privilege when handling file system operations. Organizations using Whistle should immediately upgrade to version 2.10.3 or later to mitigate this risk, as the vulnerability can be exploited without authentication and provides extensive access to server-side files. The patch demonstrates proper security engineering practices that validate all external inputs and enforce strict path validation before any file system operations occur, preventing unauthorized access to sensitive resources through crafted malicious requests.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!