PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32847 HKUDS CVE debrief

A path traversal vulnerability in DeepCode's SPA catch-all route allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to bypass Starlette's path normalization. The vulnerability exists in new_ui/backend/main.py through commit c991dc2. Attackers can encode slashes as %2F and dots as %2E%2E to traverse outside the FRONTEND_DIST directory, exposing sensitive files including SSH private keys, TLS certificates, and application secrets with a single HTTP request.

Vendor
HKUDS
Product
DeepCode
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running DeepCode instances, particularly those exposing the web UI to untrusted networks. Security teams responsible for code analysis platform infrastructure. Developers maintaining Starlette-based applications with catch-all routes. Incident response teams monitoring for path traversal exploitation attempts.

Technical summary

The vulnerability resides in the SPA catch-all route handler in new_ui/backend/main.py. The endpoint accepts arbitrary paths via GET /{full_path:path} and joins them with FRONTEND_DIST without adequate validation. Starlette's default path normalization can be bypassed using percent-encoding: %2F for forward slashes and %2E%2E for dot-dot sequences. This allows attackers to construct paths that traverse outside the intended frontend distribution directory. The vulnerability is exploitable without authentication, requires low attack complexity, and enables reading arbitrary files accessible to the application process. Sensitive targets include SSH private keys (/root/.ssh/id_rsa), TLS certificates, and application configuration files containing secrets.

Defensive priority

HIGH

Recommended defensive actions

  • Apply security patches from the DeepCode repository when available, prioritizing updates that address the path traversal in new_ui/backend/main.py
  • Implement strict path validation and normalization before file system operations, ensuring percent-encoded sequences are decoded and validated before path construction
  • Configure web application firewall rules to detect and block path traversal patterns including encoded dot-dot sequences (%2E%2E) and encoded slashes (%2F)
  • Restrict file system permissions to prevent web application processes from accessing sensitive files outside intended directories
  • Review and harden SPA catch-all route implementations to ensure proper path sanitization and prevent directory traversal attacks
  • Monitor access logs for suspicious requests containing percent-encoded path traversal sequences targeting the GET /{full_path:path} endpoint

Evidence notes

Vulnerability disclosed via Vulncheck advisory and GitHub issue. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) identified as primary weakness.

Official resources

2026-05-28