Browser Operator Core
Monthly
Path traversal in browser-operator-core versions up to 0.6.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files on the server by manipulating the request.url parameter in the startsWith function of server.js. Publicly available exploit code exists (GitHub issue #96), enabling trivial exploitation with no user interaction. CVSS 7.3 reflects network-exploitable attack with low impact across confidentiality, integrity, and availability. No vendor response or patch released despite early responsible disclosure via issue report. This is a critical supply chain risk for any systems running the affected BrowserOperator component server.
Path traversal in browser-operator-core versions up to 0.6.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files on the server by manipulating the request.url parameter in the startsWith function of server.js. Publicly available exploit code exists (GitHub issue #96), enabling trivial exploitation with no user interaction. CVSS 7.3 reflects network-exploitable attack with low impact across confidentiality, integrity, and availability. No vendor response or patch released despite early responsible disclosure via issue report. This is a critical supply chain risk for any systems running the affected BrowserOperator component server.