{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/algernon/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Algernon"],"_cs_severities":["critical"],"_cs_tags":["algernon","rce","directory-traversal"],"_cs_type":"advisory","_cs_vendors":["Algernon"],"content_html":"\u003cp\u003eAlgernon is susceptible to a critical remote code execution vulnerability. When a URL path resolves to a directory lacking an index file, Algernon\u0026rsquo;s \u003ccode\u003eDirPage\u003c/code\u003e function recursively searches parent directories for a \u003ccode\u003ehandler.lua\u003c/code\u003e file. Critically, this search extends beyond the configured server root, creating an opportunity for attackers to inject malicious Lua code. If an attacker can write a \u003ccode\u003ehandler.lua\u003c/code\u003e file to any parent directory of the Algernon server root, that file will be executed with full Algernon API access, including functions like \u003ccode\u003erun3()\u003c/code\u003e, \u003ccode\u003ehttpclient\u003c/code\u003e, \u003ccode\u003eos.execute\u003c/code\u003e, and direct database access. This occurs without authentication, as the handler lookup precedes permission checks. This vulnerability impacts any Algernon deployment where a less-trusted principal can write to a parent directory of the server root. The issue was introduced due to an unbounded upward search in the \u003ccode\u003eDirPage\u003c/code\u003e function, as detailed in the GHSA-xwcr-wm99-g9jc advisory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Algernon instance and its server root directory.\u003c/li\u003e\n\u003cli\u003eAttacker gains write access to a parent directory of the server root (e.g., \u003ccode\u003e/srv\u003c/code\u003e, \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e~/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious \u003ccode\u003ehandler.lua\u003c/code\u003e file containing arbitrary code for execution.\u003c/li\u003e\n\u003cli\u003eAttacker writes the malicious \u003ccode\u003ehandler.lua\u003c/code\u003e file to the chosen parent directory.\u003c/li\u003e\n\u003cli\u003eAttacker sends an HTTP request to the Algernon server, targeting a directory without an \u003ccode\u003eindex.*\u003c/code\u003e file (e.g., \u003ccode\u003e/nope/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlgernon\u0026rsquo;s \u003ccode\u003eDirPage\u003c/code\u003e function initiates an upward directory search for \u003ccode\u003ehandler.lua\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe search locates the attacker\u0026rsquo;s malicious \u003ccode\u003ehandler.lua\u003c/code\u003e in a parent directory.\u003c/li\u003e\n\u003cli\u003eAlgernon executes the \u003ccode\u003ehandler.lua\u003c/code\u003e file using a Lua interpreter with full API access, resulting in RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on the Algernon server with the privileges of the Algernon process. This can lead to complete compromise of the server, including data theft, modification, or destruction. Multi-tenant environments are especially at risk, as a compromised tenant could inject a \u003ccode\u003ehandler.lua\u003c/code\u003e that affects other tenants. The scope of the impact is changed, as a write primitive against a parent directory crosses into the Algernon process\u0026rsquo;s authority.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided patch to clamp the \u003ccode\u003eDirPage\u003c/code\u003e directory traversal to the server root as described in the GHSA advisory.\u003c/li\u003e\n\u003cli\u003eImplement the boundary check in \u003ccode\u003eengine/dirhandler.go\u003c/code\u003e to prevent traversal beyond the server root as detailed in the fix suggestions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Algernon handler.lua Discovery\u0026rdquo; to identify potential exploitation attempts via web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in parent directories of Algernon server roots for suspicious \u003ccode\u003ehandler.lua\u003c/code\u003e file creations using the \u0026ldquo;Detect handler.lua Creation in Parent Directories\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eReview and remove any unnecessary \u003ccode\u003ehandler.lua\u003c/code\u003e files present in parent directories of Algernon server roots to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:40:16Z","date_published":"2026-05-19T14:40:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-algernon-rce/","summary":"Algernon is vulnerable to remote code execution due to unbounded upward directory traversal when searching for `handler.lua`, allowing attackers with write access to parent directories to execute arbitrary code.","title":"Algernon handler.lua Discovery Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-algernon-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Algernon","version":"https://jsonfeed.org/version/1.1"}