Impact
An attacker can craft a malicious test result file that includes a path traversal reference to a sensitive file on the host system. During report generation, Allure resolves the path and embeds the file content in the final report, exposing confidential data without authentication. This flaw resides in the path handling of attachment sources (CWE‑22) and allows untrusted data to be read by the report generator.
Affected Systems
Allure Report version 2.x (Allure 2) prior to 2.38.0 is affected. The vulnerability impacts the Allure framework across Allure 1, Allure 2, and XCTest Readers, and any system that uses these components to generate test reports.
Risk and Exploitability
The CVSS score of 8.6 indicates high severity. Because the vulnerability requires only a malicious result file to be processed, any compromised CI/CD pipeline or build system that generates reports could be used. The attack does not require external network access; it is a file‑system compromise within the host where the report is generated. No public exploit is documented, and the issue is not listed in the KEV catalog, but the high severity and lack of mitigations suggest a strong likelihood of exploitation in projects that do not upgrade immediately.
OpenCVE Enrichment
Github GHSA