Calibre Path Traversal Vulnerability Allowing Arbitrary File Inclusion

A path traversal vulnerability has been identified in Calibre versions prior to 9.6.0. This vulnerability arises in Calibre's processing of images within Markdown and similar text-based files. It allows an attacker to include arbitrary files from the file system into the converted e-book. The issue is compounded by missing authentication and server-side request forgery in the background-image endpoint of the e-book reader web view, enabling exfiltration of the included files without further interaction.

Impact

Exploitation of this vulnerability allows for arbitrary file inclusion in the output e-book, with the potential for sensitive files to be exfiltrated to the attacker.

Reproduction

To reproduce this vulnerability, upload a Markdown file containing an image reference that exploits the path traversal flaw, such as one pointing to a sensitive file like '/etc/passwd'. Then, convert the file to an e-book format using Calibre. The referenced file will be included in the converted e-book, demonstrating the path traversal vulnerability.

Remediation

Users should update to Calibre version 9.6.0 or later, where this vulnerability has been fixed.