Pulpy injects a pulpy.fs JavaScript API into packaged web applications, allowing them to access the host filesystem. A validateFsPath() function was intended to sandbox this access, but its blocklist is incomplete. As a result, any web app packaged with Pulpy before version 0.1.1 can read and write arbitrary files in the user’s home directory, including sensitive items such as ~/.ssh/id_rsa, ~/.aws/credentials, and Keychain entries. This flaw enables an attacker to obtain private keys, secrets, and other confidential data, potentially allowing further exploitation such as credential theft or local privilege escalation.

The vulnerability affects the Pulpy desktop application (product: Pulpy by enesgkky) and any web applications packaged with it that use Pulpy prior to version 0.1.1. Users who have built or run packaged web apps with Pulpy versions older than 0.1.1 are at risk.

The issue carries a CVSS score of 9.3 and is not listed in the CISA KEV catalog; EPSS data is unavailable, meaning no precise exploitation likelihood is reported. The likely attack vector is a malicious packaged web app executed locally on the user’s machine. Once the app runs under Pulpy, the incomplete sandbox permits the app to traverse arbitrary paths within the user’s home directory, read and modify files, and exfiltrate sensitive information. Due to the high severity and the possibility of credential compromise, the vulnerability poses a significant threat to data confidentiality and integrity for affected users.