Attack Chain

1. The attacker identifies a vulnerable BrowserOperator browser-operator-core instance running a version prior to 0.6.0.
2. The attacker crafts a malicious HTTP request targeting the component_server/server.js endpoint.
3. The crafted request includes a manipulated request.url argument designed to bypass the startsWith function’s intended path restrictions.
4. The startsWith function fails to properly sanitize or validate the request.url input.
5. The application uses the attacker-controlled request.url to construct a file path.
6. The application attempts to read a file based on the constructed path, traversing directories outside of the intended scope.
7. If successful, the contents of the targeted file are returned to the attacker in the HTTP response.

Impact

Successful exploitation of this vulnerability allows a remote attacker to read arbitrary files on the server hosting the BrowserOperator browser-operator-core application. This could lead to the disclosure of sensitive information, including configuration files, credentials, or source code. The lack of response from the project maintainers increases the risk of widespread exploitation, especially given the availability of a public exploit.

Recommendation

• Inspect webserver logs for HTTP requests containing path traversal patterns in the URL targeting the component_server/server.js endpoint to detect potential exploitation attempts. Deploy the Sigma rule Detect BrowserOperator Path Traversal Attempt to identify suspicious requests.
• Monitor web server logs for unusual file access patterns originating from the BrowserOperator application.
• Consider using a web application firewall (WAF) to filter out malicious requests targeting the vulnerable endpoint, mitigating the risk of CVE-2026-7234.