CVE-2026-35613

描述

## Summary `coursevault-preview` versions prior to `0.1.1` contain a path traversal vulnerability in the `resolveSafe` utility. The boundary check used `String.prototype.startsWith(baseDir)` on a normalized path, which does not enforce a directory boundary. An attacker who controls the `relativePath` argument to affected `CoursevaultPreview` methods may be able to read files outside the configured `baseDir` when a sibling directory exists whose name shares the same string prefix. ## Details The vulnerable code in `src/utils/errors.ts`: ```ts if (!full.startsWith(base)) { // ← insufficient throw new Error("Path escapes the base directory"); } ``` Because the check is a raw string prefix test rather than a path-boundary test, the following bypass is possible: ``` baseDir = "/srv/courses" payload = "../courses-admin/config.json" resolved = "/srv/courses-admin/config.json" "/srv/courses-admin/config.json".startsWith("/srv/courses") // → true ✗ ``` Any file whose absolute path begins with the `baseDir` string — including files in sibling directories that share a name prefix — passes the guard and can be accessed by the caller through affected file-access methods. The fix replaces the check with a separator-aware comparison: ```ts if (full !== base && !full.startsWith(base + sep)) { throw new Error("Path escapes the base directory"); } ``` ## Impact An application that passes untrusted input as the `relativePath` argument to affected file-access methods may expose file contents outside the intended directory. 1. Attacker control over the `relativePath` parameter. 2. A sibling directory on the filesystem whose name shares a string prefix with `baseDir`. There is no network exposure in the package itself; impact is limited to local file disclosure within the host process's file system permissions.

如何修補 CVE-2026-35613

要修補 CVE-2026-35613,請將受影響套件升級到下列已修補版本。

• —升級至 0.1.1 或更新版本

CVE-2026-35613 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)