GHSA-mm6c-5j6x-hq8m: Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
Algernon running on Windows with NTFS is vulnerable to server-side script source disclosure via specially crafted filenames that exploit NTFS filename equivalences. An unauthenticated attacker can append NTFS alternate data stream suffixes or trailing dots/spaces to script filenames on public paths and receive the raw script source instead of executed output. This leaks embedded secrets such as database credentials and session cookie secrets. The vulnerability affects versions prior to 1.17.9 and does not impact Linux or macOS hosts.
AI Analysis
Technical Summary
Algernon's file handler selection uses filepath.Ext() which does not recognize NTFS-equivalent filename suffixes like '::$DATA', trailing dots, or trailing spaces as script extensions (e.g., '.lua'). On Windows, these suffixes resolve to the original file's data stream, causing Algernon to bypass script execution and instead serve the raw source code. This allows unauthenticated clients to access server-side script source files on public paths, exposing sensitive embedded secrets such as database connection strings and the SetCookieSecret value. The issue arises because Algernon does not canonicalize or reject Windows-equivalent filenames before dispatching handlers, leading to a confidentiality breach.
Potential Impact
An attacker can read the exact source code of any server-side script served on a public path by Algernon on Windows hosts. This disclosure exposes hardcoded secrets including database credentials and session cookie secrets. The leaked SetCookieSecret enables forging of session cookies, allowing unauthenticated attackers to impersonate any user. This results in a high confidentiality impact and complete authentication bypass without requiring any privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor suggests rejecting request paths whose final segment contains Windows-equivalent filename forms such as alternate data stream suffixes ('::$DATA'), trailing dots, or trailing spaces before extension dispatch. Until a patch is available, administrators should avoid serving server-side scripts on public paths on Windows hosts or implement access controls to prevent unauthenticated access. Monitoring for suspicious requests using these filename suffixes may help detect exploitation attempts.
GHSA-mm6c-5j6x-hq8m: Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
Description
Algernon running on Windows with NTFS is vulnerable to server-side script source disclosure via specially crafted filenames that exploit NTFS filename equivalences. An unauthenticated attacker can append NTFS alternate data stream suffixes or trailing dots/spaces to script filenames on public paths and receive the raw script source instead of executed output. This leaks embedded secrets such as database credentials and session cookie secrets. The vulnerability affects versions prior to 1.17.9 and does not impact Linux or macOS hosts.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Algernon's file handler selection uses filepath.Ext() which does not recognize NTFS-equivalent filename suffixes like '::$DATA', trailing dots, or trailing spaces as script extensions (e.g., '.lua'). On Windows, these suffixes resolve to the original file's data stream, causing Algernon to bypass script execution and instead serve the raw source code. This allows unauthenticated clients to access server-side script source files on public paths, exposing sensitive embedded secrets such as database connection strings and the SetCookieSecret value. The issue arises because Algernon does not canonicalize or reject Windows-equivalent filenames before dispatching handlers, leading to a confidentiality breach.
Potential Impact
An attacker can read the exact source code of any server-side script served on a public path by Algernon on Windows hosts. This disclosure exposes hardcoded secrets including database credentials and session cookie secrets. The leaked SetCookieSecret enables forging of session cookies, allowing unauthenticated attackers to impersonate any user. This results in a high confidentiality impact and complete authentication bypass without requiring any privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor suggests rejecting request paths whose final segment contains Windows-equivalent filename forms such as alternate data stream suffixes ('::$DATA'), trailing dots, or trailing spaces before extension dispatch. Until a patch is available, administrators should avoid serving server-side scripts on public paths on Windows hosts or implement access controls to prevent unauthenticated access. Monitoring for suspicious requests using these filename suffixes may help detect exploitation attempts.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-mm6c-5j6x-hq8m
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52792"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a46ecae27e9c7971943b8e1
Added to database: 07/02/2026, 22:56:46 UTC
Last enriched: 07/02/2026, 23:05:59 UTC
Last updated: 07/03/2026, 00:03:49 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.