0Xlally

**Name of the Vulnerable Software and Affected Versions** CloakBrowser versions prior to 0.3.28 **Description** The `cloakserve` CDP multiplexer uses the user-supplied `fingerprint` query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker with network access to the `cloakserve` port can provide a crafted `fingerprint` value containing path traversal sequences to resolve `user data dir` outside the configured `data dir`. When Chrome fails to start or the process is cleaned up, the `shutil.rmtree()` function deletes the traversed path, leading to arbitrary directory deletion. By default, `cloakserve` is bound to `0.0.0.0`, which makes it exposed to the network. **Recommendations** Update to version 0.3.28. Restrict network access to the `cloakserve` port.