Soumettre #853098: zhayujie CowAgent <= 2.1.0 Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)information

Titrezhayujie CowAgent <= 2.1.0 Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Description# Technical Details A local file disclosure vulnerability exists in the `BrowserTool._do_navigate` method in `agent/tools/browser/browser_tool.py` of CowAgent. The application fails to enforce a URL scheme allowlist before forwarding attacker-controlled URLs to Playwright. Non-network schemes such as `file://` are preserved, passed to `BrowserService._do_navigate`, loaded by Chromium, and then exposed through the browser tool's automatic snapshot response. # Vulnerable Code File: `agent/tools/browser/browser_tool.py` Method: `BrowserTool._do_navigate` Why: The method only prepends `https://` for bare hosts and intentionally preserves `file://`, `about:`, and `data:` URLs before calling the browser service and returning a page snapshot. File: `agent/tools/browser/browser_service.py` Method: `BrowserService._do_navigate` Why: The method passes the unvalidated URL directly into Playwright `page.goto(url, wait_until="domcontentloaded", timeout=timeout)`. # Reproduction 1. Install CowAgent / `chatgpt-on-wechat` with the browser tool available and Playwright Chromium installed. 2. Create a local readable canary file such as `/tmp/cve-2026-32008-canary.txt`. 3. Invoke the browser tool with `{"action":"navigate","url":"file:///tmp/cve-2026-32008-canary.txt"}`. 4. Observe that Chromium loads the local file. 5. Inspect the returned tool result and confirm the automatic page snapshot contains the local file contents. 6. Run a control with `about:blank` and confirm the canary is not disclosed. # Impact - Authenticated users who can trigger `browser.navigate` can read local files accessible to the CowAgent process user. - Sensitive files such as configuration, cached credentials, API keys, logs, uploaded artifacts, and local memory data may be exposed. - The browser feature silently changes from web navigation into local host file access without explicit operator approval.
La source⚠️ https://github.com/zhayujie/CowAgent/issues/2871
Utilisateur
 Eric-x (UID 94869)
Soumission09/06/2026 16:39 (il y a 1 mois)
Modérer09/07/2026 20:38 (1 month later)
StatutAccepté
Entrée VulDB377272 [zhayujie CowAgent jusqu’à 2.1.0 Browser Tool browser_tool.py BrowserTool._do_navigate divulgation d'information]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!