CVE-2026-35613
Path Traversal in coursevault-preview Allows Unauthorized File Access
Publication date: 2026-04-07
Last updated on: 2026-05-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moritzmyrz | coursevault-preview | to 0.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local path traversal issue in the coursevault-preview package affecting versions prior to 0.1.1. It is not exposed over the network, so network detection is not applicable.
To detect if your system is vulnerable, first verify the installed version of coursevault-preview. If it is older than 0.1.1, it is vulnerable.
You can check the installed version using the following command in your project directory:
- npm list coursevault-preview
To detect potential exploitation attempts locally, you can monitor file access patterns or logs for unusual relative paths containing directory traversal sequences like "../" passed to coursevault-preview methods.
Since the vulnerability involves the resolveSafe utility improperly validating paths, you may also audit your codebase for usage of coursevault-preview methods that accept relativePath arguments and check if they sanitize inputs correctly.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade coursevault-preview to version 0.1.1 or later, where the path traversal vulnerability is fixed.
If upgrading is not immediately possible, ensure that any input passed as relativePath to coursevault-preview methods is strictly validated and sanitized to prevent directory traversal sequences.
Additionally, restrict file system permissions so that the process running coursevault-preview has access only to the intended base directory and cannot read sensitive files outside it.
Review and apply the fix pattern from the advisory, which enforces a separator-aware path boundary check to prevent bypasses.
Can you explain this vulnerability to me?
CVE-2026-35613 is a path traversal vulnerability in the coursevault-preview utility, affecting versions prior to 0.1.1. The vulnerability exists because the utility uses an improper method to check if a file path is within a configured base directory. Specifically, it uses a string prefix check with String.prototype.startsWith(baseDir) on a normalized path, which does not correctly enforce directory boundaries.
This flaw allows an attacker who controls the relativePath argument to access files outside the intended base directory if a sibling directory exists with a name sharing the same prefix. For example, if the base directory is /srv/courses, an attacker can use a path like ../courses-admin/config.json to access files in /srv/courses-admin, bypassing the intended restriction.
The vulnerability is fixed in version 0.1.1 by replacing the prefix check with a separator-aware comparison that ensures only paths strictly within the base directory or its subdirectories are allowed.
How can this vulnerability impact me? :
If you use a vulnerable version of coursevault-preview and your application passes untrusted input as the relativePath argument to affected methods, an attacker with local access can read files outside the intended directory.
This can lead to unauthorized disclosure of sensitive files on the host system, limited by the filesystem permissions of the host process.
There is no inherent network exposure in the package itself, so the attack requires local access and has a high attack complexity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to read files outside the intended directory, potentially exposing sensitive or confidential information stored on the host system.
Such unauthorized local file disclosure could lead to violations of data protection regulations like GDPR or HIPAA if personal or protected health information is accessed without authorization.
However, the vulnerability is limited to local file access and depends on the host filesystem permissions, so the actual compliance impact depends on what data is exposed and how the application is used.