CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion (High)

Listen to this Post

The vulnerability exists in the `cloakserve` CDP (Chrome DevTools Protocol) multiplexer component of CloakBrowser. The `cloakserve` service binds to `0.0.0.0` by default, exposing it on the network. It accepts HTTP requests with a `fingerprint` query parameter. This parameter is used to construct the filesystem path for Chrome profile directories. The user-supplied `fingerprint` value is concatenated directly into the path without any sanitization or validation. An unauthenticated attacker can send a crafted `fingerprint` containing path traversal sequences such as ../../../. This causes the resolved `user_data_dir` to point outside the intended `data_dir` base directory. When Chrome fails to start (e.g., due to an invalid profile path) or during normal cleanup routines, the application calls `shutil.rmtree()` on the constructed directory path. Because the path now points to an arbitrary directory (e.g., /etc, /var/log, or application data), `shutil.rmtree()` recursively deletes that directory and all its contents. The deletion is performed with the privileges of the user running cloakserve. No authentication is required to trigger this, and the only precondition is network reachability to the `cloakserve` port. The default binding to `0.0.0.0` makes the service remotely accessible. The flaw allows an attacker to delete arbitrary directories, leading to denial of service, data loss, or system instability.

dailycve form:

Platform: CloakBrowser cloakserve
Version: All before v0.3.28
Vulnerability: Path traversal deletion
Severity: High
date: May 12 2026

Prediction: Already patched v0.3.28

What Undercode Say:

Check if cloakserve is bound to 0.0.0.0
netstat -tulpn | grep cloakserve
Simulate path traversal deletion attempt (exploit test)
curl "http://target:port/?fingerprint=../../../tmp/critical_dir"

Exploit:

Delete /etc/passwd (requires service user permissions)
curl -X GET "http://vulnerable-host:8080/?fingerprint=../../../etc/passwd"
Delete entire application data directory
curl "http://vulnerable-host:8080/?fingerprint=../../..${HOME}/.config/cloakbrowser"

Protection from this CVE:

  • Upgrade to CloakBrowser v0.3.28 or later.
  • If patching is not immediate, change `cloakserve` bind address from `0.0.0.0` to `127.0.0.1` and restrict network access via firewall.
  • Implement input validation: reject any `fingerprint` containing `../` or absolute paths.
  • Run `cloakserve` with the least privileges in a sandboxed environment.

Impact:

  • Arbitrary directory deletion on the host system.
  • Denial of service by deleting critical system directories (e.g., /var, /etc, /usr).
  • Data loss for application state, logs, or user data.
  • Potential privilege escalation if deletion of security-related files (e.g., sudoers, pam.d) causes misconfiguration.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top