{"id":"CVE-2025-6152","details":"A vulnerability, which was classified as critical, was found in Steel Browser up to 0.1.3. This affects the function handleFileUpload of the file api/src/modules/files/files.routes.ts. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The patch is named 7ba93a10000fb77ee01731478ef40551a27bd5b9. It is recommended to apply a patch to fix this issue.","modified":"2026-03-15T22:51:25.598534Z","published":"2025-06-17T02:15:20.213Z","references":[{"type":"ADVISORY","url":"https://vuldb.com/?id.312627"},{"type":"ADVISORY","url":"https://vuldb.com/?submit.593060"},{"type":"REPORT","url":"https://github.com/steel-dev/steel-browser/issues/129"},{"type":"REPORT","url":"https://github.com/steel-dev/steel-browser/issues/129#issuecomment-2936052240"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.312627"},{"type":"FIX","url":"https://github.com/steel-dev/steel-browser/commit/7ba93a10000fb77ee01731478ef40551a27bd5b9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/steel-dev/steel-browser","events":[{"introduced":"0"},{"last_affected":"42b67c0e6ecc60f87f3b2235f562b63ef9b69e63"},{"introduced":"0"},{"last_affected":"76aa97b0366dfd1b554d1882074b38248eef6912"},{"fixed":"7ba93a10000fb77ee01731478ef40551a27bd5b9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.1.2-beta"},{"introduced":"0"},{"last_affected":"0.1.3-beta"}]}}],"versions":["beta-release","v0.1.1-beta.1","v0.1.2-beta","v0.1.3-beta"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"0.1.1-beta1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6152.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}