Path Manipulation in file mslib/index.py in MSS
Description
A path manipulation vulnerability in MSS's index.py allows an attacker to read arbitrary files via a crafted filename parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path manipulation vulnerability in MSS's index.py allows an attacker to read arbitrary files via a crafted filename parameter.
Vulnerability
The Mission Support System (MSS) versions prior to 8.3.3 contain a path manipulation vulnerability in mslib/index.py. The code route (/mss/code/<path:filename>) joins the user-supplied filename parameter with STATIC_LOCATION and 'code' using os.path.join to form the file path _file. Because filename can contain path separators (e.g., ../), an attacker can traverse directories and read arbitrary files from the host filesystem [1][2].
Exploitation
An attacker needs only network access to the MSS instance. No authentication or special privileges are required. By sending a request to /mss/code/<path:filename> with a URL-encoded path traversal payload (e.g., %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd), the attacker can force the application to read files outside the intended directory [1].
Impact
Successful exploitation allows an attacker to read sensitive files on the host filesystem, leading to information disclosure. This could include configuration files, system files (e.g., /etc/passwd), or application secrets, potentially compromising the confidentiality of the system [1].
Mitigation
A patch is available in MSS version 8.3.3 and later. The fix replaces os.path.join with werkzeug.security.safe_join, which rejects paths containing .. components by returning None (triggering a 404 error). Users should upgrade to the latest version. No known workarounds exist [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <8.3.3
- Open-MSS/MSSv5Range: >= 5.0.0, < 8.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application improperly joins a user-controlled route parameter with a base path, allowing directory traversal."
Attack vector
An attacker can exploit this vulnerability by manipulating the `filename` route parameter to include path traversal sequences (e.g., `../`). By URL-encoding these sequences, an attacker can trick the application into reading arbitrary files from the host filesystem. For example, a request to `/mss/code/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd` would attempt to read the `/etc/passwd` file [ref_id=1].
Affected code
The vulnerability exists in the `code` method within the `mslib/index.py` file. Specifically, the line `_file = os.path.join(STATIC_LOCATION, 'code', filename)` is responsible for constructing the file path using the tainted `filename` route parameter [ref_id=1].
What the fix does
The patch replaces the direct use of `os.path.join` with `werkzeug.security.safe_join`. This function is designed to prevent path traversal by ensuring that the resulting path remains within the intended directory structure. Additionally, checks are added to verify if the resolved file path is indeed a file before attempting to read its content [ref_id=2].
Preconditions
- inputThe `filename` route parameter must be controllable by the attacker and can include path traversal sequences.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Open-MSS/MSS/commit/f23033729ee930b97f8bdbd07df0174311c9b658mitrex_refsource_MISC
- github.com/Open-MSS/MSS/security/advisories/GHSA-pf2h-qjcr-qvq2mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.