Description
DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in new_ui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /{full_path:path} endpoint. Attackers can bypass Starlette's path normalization by encoding slashes as %2F and dots as %2E%2E, causing the joined path to traverse outside FRONTEND_DIST and exposing sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request.
Published: 2026-05-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal vulnerability exists in the SPA catch‑all route of DeepCode’s main.py. Because the path normalization performed by Starlette can be bypassed with specially encoded segments, unauthenticated users can request the GET /{full_path:path} endpoint with percent‑encoded slashes (%2F) and dots (%2E%2E). The server then joins the supplied path with FRONTEND_DIST and serves the file, allowing read of arbitrary files on the host, including SSH private keys, TLS certificates, and application secrets.

Affected Systems

The vulnerability affects installations of DeepCode from HKUDS, version 1.2.0 that contain the commit c991dc2 where the SPA catch‑all route is defined. Any deployment that has not applied the fix in this commit is vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, and the attack can be performed remotely via a single HTTP GET request without authentication. Because the EPSS score is not available and the issue is not listed in the CISA KEV catalog, the current risk is based solely on the high CVSS and the ease of exploitation via crafted URLs that bypass path normalization.

Generated by OpenCVE AI on May 28, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DeepCode to a version containing the patch that removes or secures the vulnerable catch‑all route, or apply the repository commit c991dc2 that fixes the path traversal.
  • If an immediate upgrade is impossible, restrict access to the /{full_path:path} endpoint by requiring authentication or configuring a whitelist of allowed resource paths, and ensure that the server denies access to files outside the intended FRONTEND_DIST directory.
  • As a temporary measure, deploy a reverse proxy or firewall rule that blocks or rate‑limits requests to the catch‑all route from untrusted networks, thereby reducing the likelihood of successful exploitation while a lasting fix is applied.

Generated by OpenCVE AI on May 28, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hkuds:deepcode:*:*:*:*:*:*:*:*

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds deepcode
Vendors & Products Hkuds
Hkuds deepcode

Thu, 28 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in new_ui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /{full_path:path} endpoint. Attackers can bypass Starlette's path normalization by encoding slashes as %2F and dots as %2E%2E, causing the joined path to traverse outside FRONTEND_DIST and exposing sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request.
Title DeepCode 1.2.0 Path Traversal via SPA Catch-All Route in main.py
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hkuds Deepcode
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T02:12:30.583Z

Reserved: 2026-03-16T18:11:41.758Z

Link: CVE-2026-32847

cve-icon Vulnrichment

Updated: 2026-05-30T02:12:26.456Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T20:16:22.613

Modified: 2026-06-03T18:02:38.257

Link: CVE-2026-32847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:50Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')