geyang ml-logger Information Disclosure Vulnerability in File Handler Component

A vulnerability allowing arbitrary file read has been identified in geayang ml-logger versions prior to acf255bade5be6ad88d90735c8367b28cbe3a743. The issue arises in the stream_handler function within ml_logger/server.py, where user-supplied input is not properly validated, allowing unauthenticated users to read sensitive files from the server. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows unauthorized users to read arbitrary files on the server, potentially leading to exposure of sensitive information.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/stream' endpoint with a JSON payload that includes a manipulated 'key' parameter. This parameter can be crafted to access sensitive files, such as '/proc/self/cmdline'. Additionally, the vulnerability can be combined with the 'glob_handler' routing to read any file on the server.