logo

Database

Lack of data validation - Path Traversal In cloakbrowser

Description

CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion.

Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed.

Impact

An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user.

Patches

Fixed in v0.3.28.

Mitigations

    Upgrade to v0.3.28 or later

    Restrict network access to the cloakserve port

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-457272. NVD-2026-457273. OSV-2026-457274. GHSA-mf33-gv72-w2h55. GCVE-2026-45727

References

1. https://github.com/CloakHQ/CloakBrowser/security/advisories/GHSA-mf33-gv72-w2h5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.