5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36082

CVE-2022-36082: mangadex-downloader vulnerable to unauthorized file reading

Impact

When using file:<location> command and <location> is web URL location (http, https). mangadex-downloader will try to open and read a file in local disk if the content from online file is exist-as-a-file in victim computer

So far, the app only read the files and not execute it. But still, when someone reading your files without you knowing, it's very scary.

Proof of Concept (PoC)

https://www.mansuf.link/unauthorized-file-read-in-mangadex-downloader-cve-2022-36082/

Workarounds

Unfortunately, there is no workarounds to make it safe from this issue. But i suggest you double check the url before proceed to download or update to latest version ( >= 1.7.2)

Patches

Fixed in version 1.7.2. Commit patch: https://github.com/mansuf/mangadex-downloader/commit/439cc2825198ebc12b3310c95c39a8c7710c9b42

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-36082

CVE-2022-36082:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mangadex-downloader	pip	>= 1.3.0, < 1.7.2	1.7.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper input validation in the validate_url function. The pre-patch code would check if the input URL existed as a local file and read its contents, even when the user intended to process a web URL. This allowed web URLs containing paths matching local files to trigger file reads. The commit diff shows the vulnerable pattern was replaced with a safer _try_read helper that only attempts file reads after explicit validation, confirming validate_url was the entry point for the flawed logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-36082: mangadex-downloader vulnerable to unauthorized file reading

Impact

Proof of Concept (PoC)

Workarounds

Patches

CVE-2022-36082:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

5.3

5.3

CVE-2022-36082: mangadex-downloader vulnerable to unauthorized file reading

Impact

Proof of Concept (PoC)

Workarounds

Patches

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI