Intelligence
criticalVulnerabilityActive

Unauthenticated Path Traversal in GravitLauncher FileServerHandler – Arbitrary File Read & Authentication Bypass

An unauthenticated path traversal in LaunchServer's HTTP file server allows remote attackers to read arbitrary files, including cryptographic signing keys and database credentials, enabling full authentication bypass and system compromise. This affects GravitLauncher ≤ 5.7.11 on default port 9274.

S
Sebastion

CVE References

Affected

GravitLauncher/LaunchServer ≤ 5.7.11

Vulnerability Description & Root Cause: This is a classic path traversal vulnerability arising from insufficient input validation in the FileServerHandler.channelRead0 method. The flaw stems from a substring(1) operation that blindly strips the leading slash from HTTP request URIs, assuming all requests are slash-prefixed. When Netty's HttpServerCodec accepts a request-target without a leading slash (which is valid per HTTP specifications), the normalization logic fails, allowing relative path sequences (e.g., ../../../../etc/passwd) to escape the intended file-serving directory. The second normalize() call is critically absent after path resolution, leaving traversal payloads intact.

PoC Significance & Exploitation Context: This vulnerability is a generic arbitrary-file-read primitive with severe consequences. The PoC demonstrates that an unauthenticated remote actor can exfiltrate any file readable by the LaunchServer process. The attack is trivial to execute (simple HTTP GET requests) and reliable—it requires only network access to port 9274 (default) with no authentication precondition. Critically, the vulnerable code exposes cryptographic material: the ECDSA private key used to sign JWT access tokens (stored at .keys/ecdsa_id), the refresh-token salt (.keys/legacySalt), and LaunchServer.json (containing database credentials). Possession of the signing key enables minting valid access tokens for any account, including administrators, converting information disclosure into full authentication bypass.

Detection Guidance: Defenders should monitor for HTTP requests to port 9274 containing path traversal indicators in the request-target. Specific patterns include requests lacking a leading slash followed by relative path sequences (../), or requests with unusual URL encoding (e.g., %2e%2e/). Log aggregation should flag GET requests to paths outside the intended file-serving directory. Network IDS/IPS signatures should detect requests matching the pattern: GET [^/].*\.\./ or similar regex. File access logs should be monitored for unexpected reads of .keys/ directory contents or LaunchServer.json. Any successful HTTP 200 responses serving files outside the intended directory are high-priority indicators.

Mitigation & Patching: Immediate action: upgrade GravitLauncher LaunchServer to version > 5.7.11. The permanent fix requires: (1) validating that the request-target always begins with / before stripping; (2) invoking normalize() on the resolved file path after base.resolve(path) to eliminate any remaining traversal sequences; (3) verifying the final resolved path is within the intended base directory using startsWith() or similar containment checks. As a temporary workaround, restrict network access to port 9274 to trusted internal networks using firewall rules. Additionally, relocate or protect cryptographic keys (.keys/ directory) outside the web-served directory tree.

Risk Assessment & Threat Actor Interest: This vulnerability presents extreme risk in production environments. The unauthenticated nature, combined with default port exposure and the ability to extract signing keys for complete authentication bypass, makes it highly attractive to opportunistic attackers and sophisticated threat actors. Exploitation is trivial—no specialized tools required—and the impact is maximal (full system compromise). Given the disclosure date and CVE publication, active scanning for this vulnerability in the wild is already occurring. Organizations running LaunchServer in internet-facing configurations are at immediate risk; exploitation likelihood is high. The authentication bypass aspect (JWT key theft) elevates this beyond data exfiltration into active system compromise, making it a top-priority patch target.