Cyber Resilience

CVE-2024-36527

Medium

Published: 17 June 2024

Published
17 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8911 99.6th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36527 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-36527 is a directory traversal vulnerability, tracked as CWE-22, affecting puppeteer-renderer versions 3.2.0 and earlier. The flaw resides in the handling of the URL parameter, which accepts the file protocol and permits unauthorized access to files on the underlying server. It carries a CVSS 3.1 base score of 6.5, reflecting network attack vector, low attack complexity, and low privileges required, with high impact on confidentiality but none on integrity or availability.

An authenticated attacker can supply a crafted file:// URL to the renderer service and retrieve arbitrary sensitive files from the host filesystem. Because the vulnerability requires only low privileges and no user interaction, any party able to reach the puppeteer-renderer endpoint can leverage it to disclose configuration data, source code, or other protected information stored on the server.

The supplied references consist solely of a public gist containing exploitation details; no vendor advisory, patch information, or mitigation guidance is included. The associated EPSS score has reached a peak of 0.8959 with a current value of 0.8911, indicating sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References