Hi hangwin,
I am a security researcher who has identified a security issue in this
repository that I'd like to report privately.
However, Private Vulnerability Reporting is not currently enabled, and I
could not find a security contact email in README, SECURITY.md, or
package.json.
Could you either:
-
Enable Private Vulnerability Reporting at
Settings → Security → Advisories → "Private vulnerability reporting" → Enable
-
Or share a security contact email that I can reach you at
I will NOT disclose vulnerability details in this public issue. I'm
happy to provide a full coordinated disclosure advisory with CVSS,
code line numbers, and PoC once I have a private channel.
For reference: the issue relates to app/native-server/src/file-handler.ts
(arbitrary file operations via the chrome_file_upload MCP tool path).
Severity estimate: High (CVSS ~7.8).
Thanks,
hwangpongpong10@gmail.com
GitHub: HOHK0923
Hi hangwin,
I am a security researcher who has identified a security issue in this
repository that I'd like to report privately.
However, Private Vulnerability Reporting is not currently enabled, and I
could not find a security contact email in README, SECURITY.md, or
package.json.
Could you either:
Enable Private Vulnerability Reporting at
Settings → Security → Advisories → "Private vulnerability reporting" → Enable
Or share a security contact email that I can reach you at
I will NOT disclose vulnerability details in this public issue. I'm
happy to provide a full coordinated disclosure advisory with CVSS,
code line numbers, and PoC once I have a private channel.
For reference: the issue relates to
app/native-server/src/file-handler.ts(arbitrary file operations via the chrome_file_upload MCP tool path).
Severity estimate: High (CVSS ~7.8).
Thanks,
hwangpongpong10@gmail.com
GitHub: HOHK0923