Rook
AI red-teamer · 42nights
ScansMacintosh1011/rook-demo-target

Filesystem error message disclosure in /api/file reveals absolute paths and error codes

medium5.3

info-leak · server.js:41-41

Introduced in 15b34d5cc6 by 42nights on 2026-06-03

Summary

The /api/file endpoint reads files using fs.readFile and, on error, returns the raw err.message verbatim in the 404 response body (server.js:41). Because the resolved path is built from __dirname plus user input, the error string discloses absolute filesystem paths and Node.js error codes (ENOENT, EACCES, EISDIR). The endpoint should return a generic 'not found' message and log the detailed error server-side instead of echoing it to the client.

Impact. An unauthenticated attacker can probe the filesystem by varying the name parameter and reading the returned error messages to learn the absolute install path (e.g. /Users/<user>/...), the directory layout, and whether arbitrary paths exist, are directories, or are permission-restricted. This reconnaissance materially assists chaining further attacks such as path traversal, targeted LFI, or exploitation of other known-path vulnerabilities on the host.

Vulnerable code — server.js

🔴       if (err) return send(res, 404, `not found: ${err.message}`);

Working exploit

curl -s 'http://127.0.0.1:4600/api/file?name=../../../../../../../../../../nonexistent_rookpoc_marker'

Exploit transcript

$ curl -s 'http://127.0.0.1:4600/api/file?name=../../../../../../../../../../nonexistent_rookpoc_marker'
HTTP 404  Content-Type: text/plain
not found: ENOENT: no such file or directory, open '/Users/nonexistent_rookpoc_marker'

Confirmed: not found: ENOENT: no such file or directory, open '/Users/nonexistent_rookpoc_marker'

CVSS v3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3 (medium)

Recommended fix

AI-suggested fix — review before applying (derived from analysis of untrusted repo content):

Strip internal error details from the response and log them server-side instead:

--- a/server.js
+++ b/server.js
@@
-      if (err) return send(res, 404, `not found: ${err.message}`);
+      if (err) {
+        console.error('readFile failed for /api/file:', err);
+        return send(res, 404, 'not found');
+      }

Additionally, validate/normalize the name parameter and ensure the resolved path stays within an allowed base directory before calling fs.readFile.

Ship the fix

Rook found it and proved it. Hand the finding — with its working exploit as a failing test — to Otis to write the fix PR.