| タイトル | BrowserOperator browser-operator-core 0.6.0 Path Traversal |
|---|
| 説明 | A path traversal file read vulnerability (CWE-22) has been identified in the component server of browser-operator-core, specifically within scripts/component_server/server.js. The server derives filePath directly from request.url and joins it with a base directory without proper sanitization, allowing crafted paths containing ../ sequences to traverse outside the intended documentation root. In --traces mode, the boundary check uses a weak startsWith() comparison without path separator enforcement, permitting access to sibling directories with the same prefix (e.g., traces_evil). An attacker with network access to the component server can read arbitrary files from within or adjacent to the generated DevTools output root. Version 0.6.0 is confirmed affected, and no fixed version is available at the time of reporting. |
|---|
| ソース | ⚠️ https://github.com/BrowserOperator/browser-operator-core/issues/96 |
|---|
| ユーザー | BruceJin (UID 96538) |
|---|
| 送信 | 2026年04月11日 08:18 (2 月 ago) |
|---|
| モデレーション | 2026年04月27日 19:04 (16 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 359843 [BrowserOperator browser-operator-core 迄 0.6.0 server.js startsWith request.url ディレクトリトラバーサル] |
|---|
| ポイント | 20 |
|---|