Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Path traversal in browser-operator-core versions up to 0.6.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files on the server by manipulating the request.url parameter in the startsWith function of server.js. Publicly available exploit code exists (GitHub issue #96), enabling trivial exploitation with no user interaction. CVSS 7.3 reflects network-exploitable attack with low impact across confidentiality, integrity, and availability. No vendor response or patch released despite early responsible disclosure via issue report. This is a critical supply chain risk for any systems running the affected BrowserOperator component server.
Technical ContextAI
BrowserOperator browser-operator-core is a browser automation framework component with an embedded HTTP server (scripts/component_server/server.js). The vulnerability stems from improper input validation in the startsWith function when processing HTTP request URLs (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The flawed path validation allows attackers to use directory traversal sequences (e.g., '../../../etc/passwd') to escape intended file access boundaries. The CPE identifies the affected product as cpe:2.3:a:browseroperator:browser-operator-core:*:*:*:*:*:*:*:* with versions through 0.6.0 confirmed vulnerable. The component server likely exposes file serving or file manipulation endpoints without properly canonicalizing or sanitizing user-supplied path components before filesystem operations, a classic path traversal pattern in web servers and API endpoints.
RemediationAI
No vendor-released patch is available at the time of analysis despite early responsible disclosure via GitHub issue #96 (https://github.com/BrowserOperator/browser-operator-core/issues/96). The project maintainers have not responded to the vulnerability report. Organizations currently running browser-operator-core 0.6.0 or earlier should implement compensating controls immediately: (1) Disable or isolate the component_server functionality if not operationally required - this eliminates the attack surface but breaks any workflows depending on the HTTP server; (2) Deploy a web application firewall (WAF) or reverse proxy with strict path traversal pattern filtering to block requests containing '../', encoded traversal sequences (%2e%2e%2f), and absolute paths, though this may cause false positives with legitimate URL patterns; (3) Restrict network access to the component server using firewall rules to trusted IP ranges only, reducing exposure from N (network) to A (adjacent network) in CVSS terms; (4) Run the service under a least-privilege user account with chroot jail or container isolation to limit filesystem access scope if traversal occurs. Monitor the GitHub repository (https://github.com/BrowserOperator/browser-operator-core) for potential community forks with security fixes. Given vendor unresponsiveness, organizations should evaluate migrating to actively maintained browser automation alternatives such as Playwright, Puppeteer, or Selenium for long-term security posture.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26001