CVE-2026-35613
Description
coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix. This vulnerability is fixed in 0.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in coursevault-preview before 0.1.1 allows reading files outside the base directory via a flawed string prefix check.
Vulnerability
The resolveSafe utility in coursevault-preview versions prior to 0.1.1 uses String.prototype.startsWith(baseDir) to validate that a resolved path stays within the configured base directory [1][3]. This check does not enforce a directory boundary, so a path like /srv/courses-admin/config.json passes the guard when baseDir is /srv/courses because the string prefix matches [3].
Exploitation
An attacker who controls the relativePath argument passed to methods such as readFile, previewFile, or getFileMetadata can craft a path that traverses into a sibling directory whose name shares a string prefix with the base directory [1][3]. For example, if baseDir is /srv/courses, a relativePath of ../courses-admin/config.json resolves to /srv/courses-admin/config.json, which incorrectly passes the startsWith check [3]. No network exposure exists in the package itself; the attack is limited to local file disclosure within the host process's file system permissions [3].
Impact
Successful exploitation allows reading arbitrary files from sibling directories that share a prefix with the base directory, potentially exposing sensitive configuration files, credentials, or other data [1][3]. The vulnerability is rated Medium (CVSS 5.1) [1].
Mitigation
The vulnerability is fixed in version 0.1.1 [1][3]. The fix replaces the string prefix check with a separator-aware comparison that ensures the resolved path either equals the base directory or begins with the base directory followed by a path separator [3]. Users should update to the latest version immediately [3.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
coursevault-previewnpm | < 0.1.1 | 0.1.1 |
Affected products
2cpe:2.3:a:moritzmyrz:coursevault-preview:*:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:moritzmyrz:coursevault-preview:*:*:*:*:*:node.js:*:*range: <0.1.1
- (no CPE)range: <0.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/moritzmyrz/coursevault-preview/security/advisories/GHSA-9h9m-rr67-9jpgnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-9h9m-rr67-9jpgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35613ghsaADVISORY
News mentions
0No linked articles in our index yet.