GHSA-9H9M-RR67-9JPG
Vulnerability from github – Published: 2026-04-08 00:06 – Updated: 2026-04-08 00:06Summary
coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix.
Details
The vulnerable code in src/utils/errors.ts:
if (!full.startsWith(base)) { // ← insufficient
throw new Error("Path escapes the base directory");
}
Because the check is a raw string prefix test rather than a path-boundary test, the following bypass is possible:
baseDir = "/srv/courses"
payload = "../courses-admin/config.json"
resolved = "/srv/courses-admin/config.json"
"/srv/courses-admin/config.json".startsWith("/srv/courses") // → true ✗
Any file whose absolute path begins with the baseDir string — including files in sibling directories that share a name prefix — passes the guard and can be accessed by the caller through affected file-access methods.
The fix replaces the check with a separator-aware comparison:
if (full !== base && !full.startsWith(base + sep)) {
throw new Error("Path escapes the base directory");
}
Impact
An application that passes untrusted input as the relativePath argument to affected file-access methods may expose file contents outside the intended directory.
- Attacker control over the
relativePathparameter. - A sibling directory on the filesystem whose name shares a string prefix with
baseDir.
There is no network exposure in the package itself; impact is limited to local file disclosure within the host process's file system permissions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "coursevault-preview"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35613"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T00:06:03Z",
"nvd_published_at": "2026-04-07T17:16:35Z",
"severity": "MODERATE"
},
"details": "## Summary\n\n`coursevault-preview` versions prior to `0.1.1` contain a path traversal vulnerability in the `resolveSafe` utility. The boundary check used `String.prototype.startsWith(baseDir)` on a normalized path, which does not enforce a directory boundary. An attacker who controls the `relativePath` argument to affected `CoursevaultPreview` methods may be able to read files outside the configured `baseDir` when a sibling directory exists whose name shares the same string prefix.\n\n## Details\n\nThe vulnerable code in `src/utils/errors.ts`:\n\n```ts\nif (!full.startsWith(base)) { // \u2190 insufficient\n throw new Error(\"Path escapes the base directory\");\n}\n```\n\nBecause the check is a raw string prefix test rather than a path-boundary test, the following bypass is possible:\n\n```\nbaseDir = \"/srv/courses\"\npayload = \"../courses-admin/config.json\"\nresolved = \"/srv/courses-admin/config.json\"\n\n\"/srv/courses-admin/config.json\".startsWith(\"/srv/courses\") // \u2192 true \u2717\n```\n\nAny file whose absolute path begins with the `baseDir` string \u2014 including files in sibling directories that share a name prefix \u2014 passes the guard and can be accessed by the caller through affected file-access methods.\n\nThe fix replaces the check with a separator-aware comparison:\n\n```ts\nif (full !== base \u0026\u0026 !full.startsWith(base + sep)) {\n throw new Error(\"Path escapes the base directory\");\n}\n```\n\n## Impact\n\nAn application that passes untrusted input as the `relativePath` argument to affected file-access methods may expose file contents outside the intended directory.\n\n1. Attacker control over the `relativePath` parameter.\n2. A sibling directory on the filesystem whose name shares a string prefix with `baseDir`.\n\nThere is no network exposure in the package itself; impact is limited to local file disclosure within the host process\u0027s file system permissions.",
"id": "GHSA-9h9m-rr67-9jpg",
"modified": "2026-04-08T00:06:03Z",
"published": "2026-04-08T00:06:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35613"
},
{
"type": "PACKAGE",
"url": "https://github.com/moritzmyrz/coursevault-preview"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "coursevault-preview has a path traversal due to improper base-directory boundary validation"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.