GHSA-5g75-477j-2c2f: LaunchServer FileServerHandler has an unauthenticated path traversal issue
An unauthenticated path traversal vulnerability in GravitLauncher LaunchServer (≤ 5.7.11) allows remote attackers to read arbitrary files accessible by the LaunchServer process. This includes sensitive files such as private keys used for signing JWT access tokens, refresh-token salts, and database credentials. The vulnerability arises from improper normalization of request paths, enabling traversal outside the intended directory. The file server is enabled by default and listens on all interfaces without authentication, exposing critical secrets. Exploitation requires sending a specially crafted HTTP GET request without a leading slash, which bypasses normal path normalization. This leads to full authentication bypass and potential full system compromise.
AI Analysis
Technical Summary
The LaunchServer HTTP file server component (FileServerHandler) in GravitLauncher LaunchServer versions up to 5.7.11 has an unauthenticated path traversal flaw. The vulnerability is due to improper handling of request-targets that do not start with a slash, causing the path normalization logic to fail and allowing resolution of file paths outside the intended updates directory. This enables attackers to read any file readable by the LaunchServer process, including critical secrets such as the ECDSA private key (.keys/ecdsa_id), refresh-token salt (.keys/legacySalt), and database credentials (LaunchServer.json). The file server is enabled by default, bound to 0.0.0.0:9274, and does not require authentication, making exploitation straightforward via raw socket HTTP GET requests without a leading slash. Normal HTTP clients and proxies that normalize paths block this vector, but direct exposure or TCP-level proxies remain vulnerable. The flaw allows attackers to forge valid access tokens for any account, including admins, resulting in full authentication bypass and system compromise.
Potential Impact
Unauthenticated remote attackers can read arbitrary files accessible to the LaunchServer process, including private keys used to sign JWT access tokens, refresh-token salts, and database credentials. This enables attackers to mint valid access tokens for any user, including administrators, effectively bypassing authentication. The exposure of these secrets can lead to full system compromise, unauthorized access, and data breaches. The vulnerability also allows reading other sensitive files such as configuration and system files, increasing the attack surface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Suggested fixes include re-normalizing the resolved file path and verifying it remains within the intended base directory, rejecting request targets that do not start with a leading slash, and binding the file server to localhost (127.0.0.1) by default. Deployments should firewall or restrict access to port 9274 to prevent direct exposure. Use of a normalizing L7 reverse proxy (e.g., stock nginx with path normalization) can block the primary attack vector by rejecting no-leading-slash requests. Until an official fix is available, restrict network access to the vulnerable service and monitor for suspicious activity.
GHSA-5g75-477j-2c2f: LaunchServer FileServerHandler has an unauthenticated path traversal issue
Description
An unauthenticated path traversal vulnerability in GravitLauncher LaunchServer (≤ 5.7.11) allows remote attackers to read arbitrary files accessible by the LaunchServer process. This includes sensitive files such as private keys used for signing JWT access tokens, refresh-token salts, and database credentials. The vulnerability arises from improper normalization of request paths, enabling traversal outside the intended directory. The file server is enabled by default and listens on all interfaces without authentication, exposing critical secrets. Exploitation requires sending a specially crafted HTTP GET request without a leading slash, which bypasses normal path normalization. This leads to full authentication bypass and potential full system compromise.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LaunchServer HTTP file server component (FileServerHandler) in GravitLauncher LaunchServer versions up to 5.7.11 has an unauthenticated path traversal flaw. The vulnerability is due to improper handling of request-targets that do not start with a slash, causing the path normalization logic to fail and allowing resolution of file paths outside the intended updates directory. This enables attackers to read any file readable by the LaunchServer process, including critical secrets such as the ECDSA private key (.keys/ecdsa_id), refresh-token salt (.keys/legacySalt), and database credentials (LaunchServer.json). The file server is enabled by default, bound to 0.0.0.0:9274, and does not require authentication, making exploitation straightforward via raw socket HTTP GET requests without a leading slash. Normal HTTP clients and proxies that normalize paths block this vector, but direct exposure or TCP-level proxies remain vulnerable. The flaw allows attackers to forge valid access tokens for any account, including admins, resulting in full authentication bypass and system compromise.
Potential Impact
Unauthenticated remote attackers can read arbitrary files accessible to the LaunchServer process, including private keys used to sign JWT access tokens, refresh-token salts, and database credentials. This enables attackers to mint valid access tokens for any user, including administrators, effectively bypassing authentication. The exposure of these secrets can lead to full system compromise, unauthorized access, and data breaches. The vulnerability also allows reading other sensitive files such as configuration and system files, increasing the attack surface.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Suggested fixes include re-normalizing the resolved file path and verifying it remains within the intended base directory, rejecting request targets that do not start with a leading slash, and binding the file server to localhost (127.0.0.1) by default. Deployments should firewall or restrict access to port 9274 to prevent direct exposure. Use of a normalizing L7 reverse proxy (e.g., stock nginx with path normalization) can block the primary attack vector by rejecting no-leading-slash requests. Until an official fix is available, restrict network access to the vulnerable service and monitor for suspicious activity.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-5g75-477j-2c2f
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54617"]
- Ecosystems
- ["Maven"]
- Database Specific Severity
- CRITICAL
- Cvss Version
- 3.1
Threat ID: 6a46ecae27e9c7971943b8d9
Added to database: 07/02/2026, 22:56:46 UTC
Last enriched: 07/02/2026, 23:05:42 UTC
Last updated: 07/02/2026, 23:05:42 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.