Executive Summary

CVE-2026-35613 is a path traversal vulnerability in the coursevault-preview utility, affecting versions prior to 0.1.1. The vulnerability exists because the utility uses an improper method to check if a file path is within a configured base directory. Specifically, it uses a string prefix check with String.prototype.startsWith(baseDir) on a normalized path, which does not correctly enforce directory boundaries.

This flaw allows an attacker who controls the relativePath argument to access files outside the intended base directory if a sibling directory exists with a name sharing the same prefix. For example, if the base directory is /srv/courses, an attacker can use a path like ../courses-admin/config.json to access files in /srv/courses-admin, bypassing the intended restriction.

The vulnerability is fixed in version 0.1.1 by replacing the prefix check with a separator-aware comparison that ensures only paths strictly within the base directory or its subdirectories are allowed.

Useful 0 Not Useful 0

Impact Analysis

If you use a vulnerable version of coursevault-preview and your application passes untrusted input as the relativePath argument to affected methods, an attacker with local access can read files outside the intended directory.

This can lead to unauthorized disclosure of sensitive files on the host system, limited by the filesystem permissions of the host process.

There is no inherent network exposure in the package itself, so the attack requires local access and has a high attack complexity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a local path traversal issue in the coursevault-preview package affecting versions prior to 0.1.1. It is not exposed over the network, so network detection is not applicable.

To detect if your system is vulnerable, first verify the installed version of coursevault-preview. If it is older than 0.1.1, it is vulnerable.

You can check the installed version using the following command in your project directory:

• npm list coursevault-preview

To detect potential exploitation attempts locally, you can monitor file access patterns or logs for unusual relative paths containing directory traversal sequences like "../" passed to coursevault-preview methods.

Since the vulnerability involves the resolveSafe utility improperly validating paths, you may also audit your codebase for usage of coursevault-preview methods that accept relativePath arguments and check if they sanitize inputs correctly.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade coursevault-preview to version 0.1.1 or later, where the path traversal vulnerability is fixed.

If upgrading is not immediately possible, ensure that any input passed as relativePath to coursevault-preview methods is strictly validated and sanitized to prevent directory traversal sequences.

Additionally, restrict file system permissions so that the process running coursevault-preview has access only to the intended base directory and cannot read sensitive files outside it.

Review and apply the fix pattern from the advisory, which enforces a separator-aware path boundary check to prevent bypasses.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to read files outside the intended directory, potentially exposing sensitive or confidential information stored on the host system.

Such unauthorized local file disclosure could lead to violations of data protection regulations like GDPR or HIPAA if personal or protected health information is accessed without authorization.

However, the vulnerability is limited to local file access and depends on the host filesystem permissions, so the actual compliance impact depends on what data is exposed and how the application is used.

Useful 0 Not Useful 0