Share
## https://sploitus.com/exploit?id=5B646D39-545B-5C8F-B570-3259ECB4FA41
# Path Traversal Demo - Case Study : CVE-2026-14628

A minimal, runnable demonstration fo the **Path Traversal(CWE-22)** vulnerability class, usicng the recently dislosed [CVE-2026-14628](https://vuln/detail/CVE-2026-14628) as a real-world reference point.


## The real vulnerability

CVE-2026-14628 affects 'NousResearch/hermes-agent' (< 2026.5.16).  
The `extract_media` function in `gateway/platforms/base.py` builds a filesystem path from incoming webhook payload without validating it, allowing, a remote, unauthenticated attacker to read files outside the intented media directory.

- **CVSS 3.1**: 5.3 (Medium) โ€” `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
- Remotely exploitable, no authentication or user interaction required
- A public exploit exists; the vendor was notified but has not responded
This repo does **not** target or exploit the real `hermes-agent` codebase. Instead, it reproduces the exact vulnerability *pattern* in a small, self-contained example so the flaw and its fix are easy to study and reuse as a reference when reviewing other code.
 

 ## Files
 
| File | Purpose |
|---|---|
| `vulnerable_example.py` | Reproduces the flawed logic: builds a path via naive string concatenation, no validation |
| `secure_example.py` | Fixed version: validates the resolved absolute path stays within the intended root directory |

## Run it yourself
 
```bash
python3 vulnerable_example.py
```
Output shows the "attacker" successfully reading a file (`secret_outside_media_root.txt`) that lives *outside* the intended `media_storage/` directory, using an input like `../secret_outside_media_root.txt`.
 
```bash
python3 secure_example.py
```
The same malicious input is rejected with a clear `PathTraversalError`.
 

## The fix, explained
 
Two complementary defenses are applied in `secure_example.py`:
 
1. **Reject suspicious input outright** โ€” filenames containing `..` or path separators are rejected before touching the filesystem at all (fail fast, clear error for legitimate callers).
2. **Verify the resolved path** โ€” after building the full path, resolve it to an absolute path and confirm it still starts with the intended root directory. This is the defense that actually matters: it also catches symlink tricks, encoding quirks, and OS-specific edge cases that a naive substring check on the raw input could miss.
```python
candidate_path = os.path.abspath(os.path.join(MEDIA_ROOT, filename))
if not candidate_path.startswith(MEDIA_ROOT + os.sep):
    raise PathTraversalError(...)
```
 ## Why this matters
 
Path traversal is one of the most common and most avoidable vulnerability classes in software that handles file uploads, downloads, or any user-controlled filename โ€” webhook handlers, media processors, log viewers, template engines, and file-serving APIs are frequent targets. The fix is cheap (a handful of lines); the cost of skipping it is arbitrary file disclosure, and in worse cases (when combined with write access) remote code execution.
 
## Disclaimer
 
This project is for educational purposes only. It is a generic reproduction of a known vulnerability class, not a working exploit against any specific live or unpatched software. Do not use these techniques against systems you do not own or have explicit authorization to test.