-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
Miggo AIRoot Cause AnalysisThe vulnerability stems from improper path validation in the download handler. The commit diff shows critical security checks were added to httphandler.py's download_check_files function: 1) Checking for '../' prefixes, and 2) Verifying paths aren't absolute via os.path.isabs(). The exploit demonstrates how attackers could leverage this by manipulating the 'value' parameter, and the CVE description explicitly calls out this function's role in the download process. The XSS fix in playlistmanager.js is unrelated to the directory traversal vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| CherryMusic | pip | < 0.36.0 | 0.36.0 |