Listen to this Post
How GHSA-85jm-cwp2-mvpv Works
The `FolderSchemeHandlerFactory` in CefSharp.Common is a custom scheme handler that maps requested URLs to files under a configured rootFolder. In vulnerable versions (0.0.1 through 144.0.120), the factory canonicalizes rootFolder, URL-decodes the incoming request path, combines it with the root, and then validates the result using a raw string prefix check:
filePath.StartsWith(rootFolder, StringComparison.OrdinalIgnoreCase)
This check does not enforce a directory boundary. It only verifies that the resolved file path begins with the root folder string. An attacker can exploit this by crafting a request that traverses into a sibling directory whose full path also starts with the root folder string.
For example, if `rootFolder` is set to /tmp/app/www, a request for https://host/..%2fwww2/secret.txt` gets URL-decoded to../www2/secret.txt, combined with the root, and canonicalized to/tmp/app/www2/secret.txt. Because `/tmp/app/www2/secret.txt` starts with `/tmp/app/www` as a string prefix, the check passes—even though `www2` is a sibling ofwww, not a child. The same issue occurs on Windows: `C:\app\www2\secret.txt` starts withC:\app\www.b5fef3bb4bc58798c95170078c41de92cfe9066e
The vulnerable code was reviewed at commit, and the affected assembly version is147.0.100. The fix, released in version148.0.90, replaces the raw prefix check with a strict directory-boundary validation that enforces the resolved path is truly contained withinrootFolder.www
An attacker who can cause the embedded browser to request URLs handled by the affected scheme registration can read arbitrary files outside the intended served directory—especially dangerous when sensitive sibling directories share a common root prefix (e.g.,/www2,public/public_backup,static/static-secrets).FolderSchemeHandlerFactory
<h2 style="color: blue;">DailyCVE Form:</h2>
<h2 style="color: blue;">| Field | Value |</h2>
<h2 style="color: blue;">|-|-|</h2>
<h2 style="color: blue;">| Platform | CefSharp.Common |</h2>
<h2 style="color: blue;">| Version | 0.0.1 – 144.0.120 |</h2>
<h2 style="color: blue;">| Vulnerability | Path Traversal |</h2>
<h2 style="color: blue;">| Severity | Medium |</h2>
<h2 style="color: blue;">| Date | 2026-06-30 |</h2>
<h2 style="color: blue;">| Prediction | 2026-07-15 |</h2>
<h2 style="color: blue;">What Undercode Say (Analytics)</h2>
<h2 style="color: blue;">Affected component:</h2>StartsWith
<h2 style="color: blue;">Vulnerable method: `CreateResourceHandler` (path resolution logic)</h2>
Root cause: Raw string prefix () instead of directory-boundary check
<h2 style="color: blue;">Bash commands to detect vulnerable installations:</h2>
Check installed CefSharp.Common NuGet package version
dotnet list package --include-transitive | grep -i CefSharp.Common
Find all versions of CefSharp.Common in the solution
find . -name ".csproj" -exec grep -H "CefSharp.Common" {} \;
Verify if the vulnerable commit is present in the source
git log --oneline | grep b5fef3bb4bc58798c95170078c41de92cfe9066e
<h2 style="color: blue;">Code snippet showing the vulnerable check (before fix):</h2>
// Vulnerable implementation (simplified)
string rootFolder = Path.GetFullPath(configuredRoot);
string requestPath = Uri.UnescapeDataString(request.Url.Path);
string fullPath = Path.GetFullPath(Path.Combine(rootFolder, requestPath));
if (fullPath.StartsWith(rootFolder, StringComparison.OrdinalIgnoreCase))
{
// Serves the file — but this allows sibling directories!
return new ResourceHandler(fullPath);
}
<h2 style="color: blue;">Fixed implementation (conceptual):</h2>
// Secure implementation
string rootFolder = Path.GetFullPath(configuredRoot);
string requestPath = Uri.UnescapeDataString(request.Url.Path);
string fullPath = Path.GetFullPath(Path.Combine(rootFolder, requestPath));
// Enforce directory boundary
if (fullPath.StartsWith(rootFolder + Path.DirectorySeparatorChar, StringComparison.OrdinalIgnoreCase) ||
fullPath.Equals(rootFolder, StringComparison.OrdinalIgnoreCase))
{
return new ResourceHandler(fullPath);
}
// Otherwise return 404
<h2 style="color: blue;">Exploit</h2>
<h2 style="color: blue;">Proof of Concept (PoC):</h2>
1. Set `rootFolder` to a directory named `www` and create a sibling directorywww2:
<temp>/www/index.html <temp>/www2/secret.txt
<h2 style="color: blue;">2. Register `FolderSchemeHandlerFactory` for.</h2>
3. Send a GET request with an encoded path traversal sequence:
https://folderschemehandlerfactory.test/..%2fwww2/secret.txt
4. The server URL-decodes the path to../www2/secret.txt, combines it with, and canonicalizes to.rootFolder
5. Because the raw string `StartsWith` check passes, the server responds with HTTP 200 and serves the contents of `secret.txt` from outside.FolderSchemeHandlerFactory
Expected vulnerable result: HTTP 200 with the contents of `
<h2 style="color: blue;">Expected fixed result: HTTP 404 (or equivalent not-found)</h2>
<h2 style="color: blue;">Protection</h2>
- Upgrade to CefSharp.Common version 148.0.90 or later.
- If upgrade is not immediately possible, replace the raw prefix check with a strict directory-boundary validation that enforces the resolved path is within `rootFolder` (e.g., compare canonicalized full paths and require the candidate path to be under the root directory).
- Ensure the embedded browser cannot be coerced into making requests for URLs handled by the affected scheme registration—prevent untrusted content from triggering-handled requests.www
- Audit all usages of `FolderSchemeHandlerFactory` to confirm no sibling directories (e.g.,/www2,public/public_backup`) are exposed unintentionally.
Impact
- Confidentiality: An attacker can read arbitrary local files outside the intended served directory, potentially exposing sensitive configuration files, credentials, source code, or user data.
- Attack Vector: The attacker must be able to cause the embedded browser to request a specially crafted URL handled by the affected scheme registration. This is particularly dangerous in applications that load untrusted or user-supplied content into the embedded browser.
- Scope: All applications using `FolderSchemeHandlerFactory` for a custom scheme or registered HTTP/HTTPS scheme in vulnerable versions (0.0.1 – 144.0.120) are affected.
- Mitigation: Upgrade to the fixed version or apply the directory-boundary check as described above.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

