Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix. This vulnerability is fixed in 0.1.1.
AnalysisAI
Path traversal in coursevault-preview versions before 0.1.1 allows local attackers without authentication to read arbitrary files outside the configured base directory by exploiting a flawed boundary check in the resolveSafe utility. The vulnerability exists because the code uses String.prototype.startsWith() to validate normalized paths, which fails to enforce proper directory boundaries when sibling directories share the same string prefix. This enables disclosure of sensitive files on systems where the application is installed.
Technical ContextAI
coursevault-preview is a Node.js utility for safely previewing course material files from a configured directory. The vulnerability resides in the resolveSafe path normalization function, which implements CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The root cause is insufficient directory boundary enforcement: the code normalizes the provided relativePath and then checks if it starts with the baseDir string using startsWith(). This approach fails because string prefix matching does not account for directory separators. For example, if baseDir is '/course' and a sibling directory '/course_backup' exists, an attacker can construct a path like '../course_backup/../../../etc/passwd' that, after normalization, may begin with the '/course' prefix but actually reference files outside the intended boundary. The affected product is identified by CPE cpe:2.3:a:moritzmyrz:coursevault-preview:*:*:*:*:*:*:*:*, indicating all versions prior to 0.1.1 are vulnerable.
RemediationAI
Vendor-released patch: upgrade to coursevault-preview version 0.1.1 or later, which corrects the path traversal flaw by implementing proper directory boundary enforcement in the resolveSafe utility. Update your package via npm using 'npm install coursevault-preview@latest' or by explicitly specifying version 0.1.1 or higher in your package.json. If immediate upgrade is not feasible, review application deployments to ensure coursevault-preview operates with minimal file system exposure, restrict the baseDir to a dedicated directory tree without sibling directories containing sensitive data, and monitor for any unauthorized file access attempts in application logs. Consult the GitHub Security Advisory (https://github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpg) for additional context and patching timeline details.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19790
GHSA-9h9m-rr67-9jpg