CDP multiplexer
by cloakserve
CVEs (1)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45727 | hig | 0.45 | — | — | May 18, 2026 | The `cloakserve` CDP multiplexer uses the user-supplied `fingerprint` query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted `fingerprint` value containing path traversal sequences to resolve `user_data_dir` outside the configured `data_dir`. When Chrome fails to start or the process is cleaned up, `shutil.rmtree()` deletes the traversed path, resulting in arbitrary directory deletion. Additionally, `cloakserve` bound to `0.0.0.0` by default, making it network-exposed. ### Impact An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user. ### Patches Fixed in v0.3.28. ### Mitigations - Upgrade to v0.3.28 or later - Restrict network access to the cloakserve port |
- risk 0.45cvss —epss —
The `cloakserve` CDP multiplexer uses the user-supplied `fingerprint` query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted `fingerprint` value containing path traversal sequences to resolve `user_data_dir` outside the configured `data_dir`. When Chrome fails to start or the process is cleaned up, `shutil.rmtree()` deletes the traversed path, resulting in arbitrary directory deletion. Additionally, `cloakserve` bound to `0.0.0.0` by default, making it network-exposed. ### Impact An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user. ### Patches Fixed in v0.3.28. ### Mitigations - Upgrade to v0.3.28 or later - Restrict network access to the cloakserve port