A path traversal vulnerability in Emmett allows an unauthenticated attacker to read arbitrary files on the server by manipulating static file paths.

The RSGI static handler for internal assets (paths starting with /__emmett__) fails to properly sanitize input. An attacker can use ../ sequences in the URL to escape the assets directory and access sensitive files elsewhere on the filesystem.

This vulnerability (CVSS 9.1) allows for unauthorized disclosure of sensitive system files, configuration files, or source code. The severity is high as it facilitates reconnaissance or direct theft of credentials/secrets, which can be used to further compromise the server environment.

Immediate Action: Upgrade the Emmett web framework to version 2.8.1 or later.

Proactive Monitoring: Review web server logs for requests containing ../ sequences directed at the /__emmett__ endpoint.

Compensating Controls: Configure the web server to restrict directory traversal and ensure the web application user has the minimum possible filesystem permissions.

Public Exploit Available: No

Developers should prioritize upgrading to version 2.8.1. Given the ease of exploitation for information disclosure, verifying that no sensitive files have been accessed via this method should be a priority during post-patching audits.