CVE-2026-55629
Received Received - Intake

Path Traversal Vulnerability in Whistle Proxy

Vulnerability report for CVE-2026-55629, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Whistle is an HTTP, HTTP2, HTTPS, and WebSocket debugging proxy. Prior to 2.10.3, lib/service/service.js handles GET /cgi-bin/temp/get by reading req.query.filename, joining it to TEMP_FILES_PATH only when it matches the temporary file pattern, and otherwise passing the user-supplied filename directly to getFile, allowing a remote attacker to read arbitrary files such as /etc/passwd. This issue is reported as fixed in version 2.10.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
avwo whistle to 2.10.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a path traversal vulnerability in the whistle HTTP debugging proxy. It affects versions before 2.10.3. The issue occurs in the /cgi-bin/temp/get endpoint where user input in the filename query parameter is not properly sanitized. The code only validates the filename against a temporary file pattern before joining it to a safe directory. If validation fails, the user input is used directly to read files, allowing access to arbitrary system files like /etc/passwd.

Detection Guidance

Check if your whistle instance is running a version prior to 2.10.3 by running: whistle -v. If vulnerable, test the endpoint by sending a GET request to /cgi-bin/temp/get?filename=../../../../etc/passwd to see if it returns file contents.

Impact Analysis

An attacker could exploit this to read sensitive files on the system running the whistle proxy. This includes configuration files, user data, or system files containing passwords. The impact depends on the privileges of the whistle service and the files accessible to it.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating compliance requirements for data protection such as GDPR and HIPAA. Exposure of personal or health information due to file access could result in regulatory penalties and loss of trust.

Mitigation Strategies

Upgrade whistle to version 2.10.3 or later immediately. If upgrading is not possible, restrict access to the /cgi-bin/temp/get endpoint or disable it entirely until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55629. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart