| Название | BrowserOperator browser-operator-core 0.6.0 Path Traversal |
|---|
| Описание | A path traversal file read vulnerability (CWE-22) has been identified in the component server of browser-operator-core, specifically within scripts/component_server/server.js. The server derives filePath directly from request.url and joins it with a base directory without proper sanitization, allowing crafted paths containing ../ sequences to traverse outside the intended documentation root. In --traces mode, the boundary check uses a weak startsWith() comparison without path separator enforcement, permitting access to sibling directories with the same prefix (e.g., traces_evil). An attacker with network access to the component server can read arbitrary files from within or adjacent to the generated DevTools output root. Version 0.6.0 is confirmed affected, and no fixed version is available at the time of reporting. |
|---|
| Источник | ⚠️ https://github.com/BrowserOperator/browser-operator-core/issues/96 |
|---|
| Пользователь | BruceJin (UID 96538) |
|---|
| Представление | 11.04.2026 08:18 (2 месяцы назад) |
|---|
| Модерация | 27.04.2026 19:04 (16 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 359843 [BrowserOperator browser-operator-core до 0.6.0 server.js startsWith request.url обход каталога] |
|---|
| Баллы | 20 |
|---|