Convert
Monthly
Path traversal in p2r3 convert's Bun.serve API endpoint allows authenticated remote attackers to access arbitrary files on the server by manipulating the pathname parameter in buildCache.js. The vulnerability affects all versions up to commit 6998584ace3e11db66dff0b423612a5cf91de75b, with publicly available exploit code and no vendor patch forthcoming due to non-response from the maintainer. CVSS score of 5.3 reflects limited scope (confidentiality only) but the public exploit and authenticated attack vector present moderate operational risk.
Path traversal in p2r3 convert's Bun.serve API endpoint allows authenticated remote attackers to access arbitrary files on the server by manipulating the pathname parameter in buildCache.js. The vulnerability affects all versions up to commit 6998584ace3e11db66dff0b423612a5cf91de75b, with publicly available exploit code and no vendor patch forthcoming due to non-response from the maintainer. CVSS score of 5.3 reflects limited scope (confidentiality only) but the public exploit and authenticated attack vector present moderate operational risk.