Advisories for Pypi/Cloakbrowser package

2026

CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion

The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve …