Audiobookshelf Path Traversal Vulnerability in Filesystem Existence Check

A path traversal vulnerability has been identified in Audiobookshelf versions prior to 2.32.2. The issue arises in the POST /api/filesystem/pathexists endpoint, where String.startsWith() is used to validate that a resolved file path is within a library folder. This validation fails for sibling directories that share a common prefix, allowing authenticated users with upload permissions to probe for file existence outside their designated library boundaries. The vulnerability is rooted in an improper string prefix check that can be easily exploited to access restricted filesystem areas.

Impact

Exploitation of this vulnerability allows for unauthorized probing of file existence in sibling directories, potentially leading to the disclosure of sensitive filesystem information. This could be used to plan targeted attacks or violate privacy by revealing the presence of specific content in restricted areas.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/filesystem/pathexists endpoint with a folderPath that matches an existing library directory and a directory parameter set to a path that traverses out of the library folder into a sibling directory. The request must include an authorization token for a user with upload permissions.

Remediation

Users are advised to update to Audiobookshelf version 2.33.2, where this vulnerability has been fixed.