| Title | BrowserOperator browser-operator-core 0.6.0 Path Traversal |
|---|
| Description | A path traversal file read vulnerability (CWE-22) has been identified in the component server of browser-operator-core, specifically within scripts/component_server/server.js. The server derives filePath directly from request.url and joins it with a base directory without proper sanitization, allowing crafted paths containing ../ sequences to traverse outside the intended documentation root. In --traces mode, the boundary check uses a weak startsWith() comparison without path separator enforcement, permitting access to sibling directories with the same prefix (e.g., traces_evil). An attacker with network access to the component server can read arbitrary files from within or adjacent to the generated DevTools output root. Version 0.6.0 is confirmed affected, and no fixed version is available at the time of reporting. |
|---|
| Source | ⚠️ https://github.com/BrowserOperator/browser-operator-core/issues/96 |
|---|
| User | BruceJin (UID 96538) |
|---|
| Submission | 04/11/2026 08:18 (17 days ago) |
|---|
| Moderation | 04/27/2026 19:04 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 359843 [BrowserOperator browser-operator-core up to 0.6.0 server.js startsWith request.url path traversal] |
|---|
| Points | 20 |
|---|