CVE-2026-45727
CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
描述
The `cloakserve` CDP multiplexer uses the user-supplied `fingerprint` query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted `fingerprint` value containing path traversal sequences to resolve `user_data_dir` outside the configured `data_dir`. When Chrome fails to start or the process is cleaned up, `shutil.rmtree()` deletes the traversed path, resulting in arbitrary directory deletion. Additionally, `cloakserve` bound to `0.0.0.0` by default, making it network-exposed. ### Impact An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user. ### Patches Fixed in v0.3.28. ### Mitigations - Upgrade to v0.3.28 or later - Restrict network access to the cloakserve port
如何修補 CVE-2026-45727
要修補 CVE-2026-45727,請將受影響套件升級到下列已修補版本。
- —升級至 0.3.28 或更新版本
CVE-2026-45727 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.3.28
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |