CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
Description
The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion.
Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed.
Impact
An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user.
Patches
Fixed in v0.3.28.
Mitigations
- Upgrade to v0.3.28 or later
- Restrict network access to the cloakserve port
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated path traversal in cloakserve allows arbitrary directory deletion via crafted fingerprint parameter.
Vulnerability
The cloakserve CDP multiplexer, part of the CloakBrowser project, accepts a user-supplied fingerprint query parameter that is used directly as a filesystem path component when creating Chrome profile directories. By default, cloakserve binds to 0.0.0.0, making it network-accessible. An unauthenticated attacker can supply a crafted fingerprint value containing path traversal sequences (e.g., ../), causing the resulting user_data_dir to resolve outside the intended data_dir. Affected versions are those prior to v0.3.28.
Exploitation
An attacker who can reach the cloakserve port (default network exposure) sends an HTTP request with a malicious fingerprint parameter containing path traversal sequences. The service uses this value to construct a path for a Chrome profile directory. When Chrome fails to start or the process is cleaned up, shutil.rmtree() is called on the constructed path, deleting the traversed directory. No authentication is required; only network access to the cloakserve port is needed [1][2][3].
Impact
Successful exploitation allows an unauthenticated attacker to delete arbitrary directories on the filesystem that are accessible to the service user. This can lead to data loss, denial of service, and potential disruption of the host system or other services [1][2][3].
Mitigation
The vulnerability is fixed in version v0.3.28. Users should upgrade to this version or later. As a workaround, restrict network access to the cloakserve port to only trusted hosts, for example by using a firewall or binding the service to 127.0.0.1 instead of 0.0.0.0 [1][2][3].
- GitHub - CloakHQ/CloakBrowser: Stealth Chromium that passes every bot detection test. Drop-in Playwright replacement with source-level fingerprint patches. 30/30 tests passed.
- CVE-2026-45727 - GitHub Advisory Database
- Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= 0.3.27
- Range: <=0.3.27
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.