CVE-2026-44225
enesgkky · Pulpy
The Pulpy desktop application packager contains an incomplete path blocklist in its filesystem API, allowing packaged web applications to access sensitive files in the user's home directory.
Executive summary
A critical path traversal vulnerability in Pulpy allows packaged web applications to read and write sensitive user files, including SSH keys and cloud credentials.
Vulnerability
This is an improper access control and path traversal vulnerability where the validateFsPath() function fails to properly sandbox the pulpy.fs JavaScript API. An attacker-controlled web application can bypass the blocklist to access restricted files such as ~/.ssh/id_rsa or ~/.aws/credentials.
Business impact
Exploitation allows for the theft of credentials, cryptographic keys, and sensitive local data, leading to a total compromise of the user's local workstation and potential lateral movement into cloud environments. The high CVSS score of 9.3 reflects the severity of this unauthorized access to highly sensitive system files.
Remediation
Immediate Action: Update all applications packaged with Pulpy to version 0.1.1 or later and rebuild the application bundles.
Proactive Monitoring: Scan for unauthorized file access attempts or anomalous read/write activity on sensitive system configuration files.
Compensating Controls: Implement endpoint protection solutions to monitor and block unauthorized processes from accessing sensitive directories like ~/.ssh or ~/.aws.
Exploitation status
Public Exploit Available: Yes (Proof of Concept)
Analyst recommendation
The risk of credential theft via this vulnerability is significant for developers and users of applications packaged with Pulpy. It is imperative to update the packager and redistribute affected software immediately to prevent local data compromise.