Impact
Allure Report versions prior to 2.38.0 allow an attacker to read arbitrary files on the host system by injecting path traversal sequences into the attachment source field of test result files. During report generation, the tool resolves these paths and copies the referenced files into the final report, thereby exposing confidential data. This vulnerability is a classic path traversal flaw (CWE-22).
Affected Systems
The flaw affects the Allure Report tool across its 1.x and 2.x branches, including the XCTest Reader component. Any installation of Allure Report before version 2.38.0 is vulnerable. The issue is identified by the Allure Framework for Allure Report products.
Risk and Exploitability
The CVSS score of 8.6 indicates high severity, while the EPSS score below 1 % suggests that exploitation is currently uncommon, and the vulnerability is not included in the CISA KEV catalog. An attacker must supply a crafted test result file; the vulnerability is triggered during report generation and can read any file accessible to the process, potentially exposing sensitive configuration or secret files.
OpenCVE Enrichment
Github GHSA