Xreader 4.6.3 (commit ef5a50d) does not sanitize ../ sequences in href attributes of EPUB OPF manifest and navigation files. When building absolute paths for content items, relative paths are concatenated directly to the document directory, allowing an attacker to craft a malicious EPUB that displays arbitrary local files (e.g., /etc/passwd).
This is the same class of vulnerability as CVE-2023-44451, but in a different code path.
Affected Code
backend/epub/epub-document.c:1387 — setup_document_content_list():
g_string_append_printf(absolutepath, "/%s", relativepath);
backend/epub/epub-document.c:1555 — get_child_list():
gchar *filepath = g_strdup_printf("%s/%s", documentdir, filename);In both cases, relativepath/filename come from href attributes in the EPUB package and are used without any validation against directory traversal.
Steps to Reproduce
- Generate a malicious EPUB using the PoC script from the full report
- Open
poc.epub in xreader
- Navigate to page 2
- The contents of
/etc/passwd (or any target file) are rendered inside xreader
Suggested Fix
Add a g_file_get_relative_path() check after building the absolute path in both functions, rejecting items that resolve outside documentdir — the same pattern used to fix CVE-2023-44451:
GFile *parent = g_file_new_for_path(documentdir);
GFile *child = g_file_new_for_path(absolutepath->str);
gchar *relative = g_file_get_relative_path(parent, child);
if (relative == NULL) {
// path escapes document directory — skip this item
g_object_unref(parent);
g_object_unref(child);
continue;
}
g_free(relative);
g_object_unref(parent);
g_object_unref(child);Impact
An attacker can read any file accessible to the user running xreader by sending a crafted .epub file. No user interaction beyond opening the file and turning the page is required.
References
Xreader 4.6.3 (commit ef5a50d) does not sanitize
../sequences inhrefattributes of EPUB OPF manifest and navigation files. When building absolute paths for content items, relative paths are concatenated directly to the document directory, allowing an attacker to craft a malicious EPUB that displays arbitrary local files (e.g.,/etc/passwd).This is the same class of vulnerability as CVE-2023-44451, but in a different code path.
Affected Code
backend/epub/epub-document.c:1387—setup_document_content_list():backend/epub/epub-document.c:1555—get_child_list():In both cases,
relativepath/filenamecome fromhrefattributes in the EPUB package and are used without any validation against directory traversal.Steps to Reproduce
poc.epubin xreader/etc/passwd(or any target file) are rendered inside xreaderSuggested Fix
Add a
g_file_get_relative_path()check after building the absolute path in both functions, rejecting items that resolve outsidedocumentdir— the same pattern used to fix CVE-2023-44451:Impact
An attacker can read any file accessible to the user running xreader by sending a crafted
.epubfile. No user interaction beyond opening the file and turning the page is required.References