What is GHSA-mf33-gv72-w2h5?

GHSA-mf33-gv72-w2h5 is a security advisory published by GitHub Security Advisories with High severity. CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion

Which CVE IDs does GHSA-mf33-gv72-w2h5 cover?

GHSA-mf33-gv72-w2h5 covers the following CVE IDs: CVE-2026-45727. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-mf33-gv72-w2h5?

GHSA-mf33-gv72-w2h5 affects 1 product, including: pip/cloakbrowser:\u003c= 0.3.27.

GHSA-mf33-gv72-w2h5High

CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45727 →

📋 Description

The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion.

Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed.

Impact

An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user.

Patches

Fixed in v0.3.28.

Mitigations

Upgrade to v0.3.28 or later
Restrict network access to the cloakserve port

🎯 Affected products1

pip/cloakbrowser:<= 0.3.27