CVE-2026-35613 Overview
CVE-2026-35613 is a path traversal vulnerability affecting coursevault-preview, a utility for previewing course material files from a configured directory. Versions prior to 0.1.1 contain a flaw in the resolveSafe utility where the boundary check uses String.prototype.startsWith(baseDir) on a normalized path. This approach does not properly enforce directory boundaries, allowing attackers who control the relativePath argument to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix.
Critical Impact
Attackers can bypass directory restrictions to access sensitive files outside the intended base directory, potentially exposing configuration files, credentials, or other confidential course materials.
Affected Products
- coursevault-preview versions prior to 0.1.1
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35613 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35613
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in the resolveSafe utility function within coursevault-preview. The core issue lies in how the application validates whether a requested file path remains within the allowed base directory. The vulnerable implementation uses JavaScript's String.prototype.startsWith(baseDir) method to check if a normalized path begins with the expected base directory string.
The fundamental flaw is that startsWith() performs a simple string prefix comparison rather than enforcing actual directory hierarchy boundaries. For instance, if the configured baseDir is /app/courses, an attacker could potentially access /app/courses-private/secret.txt because the path string technically starts with /app/courses. This occurs when a sibling directory shares the same naming prefix as the base directory.
Successful exploitation requires local access and depends on the existence of similarly-named sibling directories on the target system. While the attack complexity is elevated due to these prerequisites, successful exploitation can lead to disclosure of highly sensitive information outside the intended directory scope.
Root Cause
The root cause is improper input validation in the path resolution logic. The resolveSafe function relies on string prefix matching (startsWith()) rather than proper directory hierarchy validation. A secure implementation would ensure that after path normalization, the resulting path not only starts with the base directory string but also continues with a path separator or terminates at the exact base directory length, confirming the target is genuinely within the directory tree.
Attack Vector
The attack vector is local, requiring the attacker to have some level of access to control the relativePath argument passed to CoursevaultPreview methods. The exploitation scenario involves:
- Identifying the configured baseDir for the coursevault-preview instance
- Discovering sibling directories that share the same string prefix as the baseDir
- Crafting a malicious relativePath that, when normalized and concatenated, points to a sibling directory
- Reading sensitive files from the sibling directory that would normally be inaccessible
The vulnerability mechanism works through prefix confusion in path validation. When the application validates a path like /courses-backup/sensitive.txt against a base directory of /courses, the startsWith('/courses') check passes because both strings begin with /courses, even though the target file resides in a completely different directory tree. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35613
Indicators of Compromise
- Unexpected file access attempts to directories with similar prefixes to the configured base directory
- Log entries showing file reads from sibling directories that share naming prefixes with the baseDir
- Access patterns requesting paths that resolve outside the expected course materials directory
Detection Strategies
- Monitor file system access logs for reads to directories adjacent to the configured baseDir
- Implement runtime application logging to track relativePath arguments passed to CoursevaultPreview methods
- Audit application configurations to identify instances running vulnerable versions (prior to 0.1.1)
Monitoring Recommendations
- Enable detailed file access logging on directories containing sensitive data near coursevault-preview base directories
- Configure alerts for file access attempts to paths that closely resemble but differ from legitimate course material paths
- Review application logs periodically for unusual path resolution patterns
How to Mitigate CVE-2026-35613
Immediate Actions Required
- Upgrade coursevault-preview to version 0.1.1 or later immediately
- Audit file system structure to identify sibling directories with prefixes matching existing baseDir configurations
- Review access logs for evidence of prior exploitation attempts
- Restrict file system permissions to limit potential information disclosure
Patch Information
The vulnerability is fixed in coursevault-preview version 0.1.1. The fix addresses the improper boundary check in the resolveSafe utility by implementing proper directory hierarchy validation rather than simple string prefix matching. Users should upgrade to version 0.1.1 or later to remediate this vulnerability. For additional details, see the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, ensure no sibling directories exist with names that share the same string prefix as the configured baseDir
- Implement additional file system permission restrictions to prevent read access to sensitive directories
- Consider isolating the coursevault-preview instance in a container or chroot environment with minimal file system exposure
- Add network-level access controls to limit who can interact with affected coursevault-preview instances
# Upgrade coursevault-preview to the patched version
npm update coursevault-preview@0.1.1
# Alternatively, install the specific patched version
npm install coursevault-preview@0.1.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
