Dredsen

**Name of the Vulnerable Software and Affected Versions** Algernon versions prior to 1.17.7 **Description** On Linux and macOS, the SSE event server binds to `0.0.0.0:5553` by default, making it accessible to any peer on the same local area network (LAN). This occurs because the platform-dependent host default in `engine/flags.go` sets the `host` variable to an empty string for non-Windows systems, which the `utils.JoinHostPort()` function resolves to listen on all available network interfaces. In contrast, Windows users are restricted to the loopback address. This allows an unauthorized network peer to connect to the server and read the file-change stream, leading to the disclosure of filenames and edit timing. **Recommendations** Update to version 1.17.7.

**Name of the Vulnerable Software and Affected Versions** Algernon versions prior to 1.17.7 **Description** The SSE event server's `Access-Control-Allow-Origin` response header is hardcoded to the wildcard `*`, regardless of the caller's `Origin`. Because `EventSource` does not perform a preflight request and does not send cookies, this configuration allows any third-party page visited by a user to open a cross-origin `EventSource` connection to the SSE port. This enables a cross-origin script to read the live filename stream from JavaScript. The issue is rooted in the `GenFileChangeEvents()` function, where the wildcard is passed as the allowed origin, granting script-level read access to the stream for any origin. **Recommendations** Update to version 1.17.7. As a temporary workaround, restrict access to the SSE port to minimize the risk of cross-origin exploitation.

**Name of the Vulnerable Software and Affected Versions** Algernon version 1.17.6 **Description** An issue exists where the software performs an unbounded upward search for a file named `handler.lua` when a request is made for a URL path that resolves to a directory without an index file. This search can traverse past the configured server root to the filesystem root. If a `handler.lua` file is found in any parent directory, it is executed by the Lua interpreter with full access to the Algernon API and unsandboxed libraries, including `os`, `io`, `package`, and `debug`. This process occurs before permission checks, allowing unauthenticated remote code execution. An attacker who can write a `handler.lua` file to any parent directory of the server root—such as in shared hosting environments, CI runners, or via malicious `.alg` archives extracted to `/dev/shm`—can execute arbitrary commands. Dangerous primitives available for exploitation include the `run3()` function, `os.execute`, and `io.popen`. **Recommendations** For version 1.17.6, clamp the `DirPage` search walk to ensure it terminates once the ancestor directory is no longer a descendant of the configured server root. As a temporary mitigation, ensure that no `handler.lua` files exist in any parent directories of the server root and restrict write permissions to those directories. Restrict the use of `.alg` archives that contain a top-level `handler.lua` file.

**Name of the Vulnerable Software and Affected Versions** Algernon versions prior to 1.17.7 **Description** When Algernon is started with a single file path instead of a directory, the `singleFileMode` is enabled, which forcibly activates `debugMode`. This configuration enables the `PrettyError` renderer, which discloses the absolute disk path and the complete byte contents of the file that caused a Lua or template error, along with the exception or parser error text. This information is served with an HTTP 200 OK status to any requester. An attacker can trigger this disclosure by provoking a runtime error through common inputs, such as sending an unsupported HTTP method to an endpoint, submitting invalid parameter types that cause a `tonumber()` failure, or sending requests missing required headers. This can lead to the exposure of sensitive server-side source code, including database connection strings, API keys, and secrets. Notably, using the `--prod` flag does not prevent this behavior for non-`.lua` extensions (such as `.po2`, `.amber`, `.html`, `.tmpl`, `.tl`, or `.pongo2`), as the forced `debugMode` override takes precedence. **Recommendations** Update to version 1.17.7. As a temporary workaround, avoid invoking the server with a single file path and instead serve content from a directory. Restrict the use of single-file mode for any environment exposed to untrusted network traffic.