cbcvebase.
CVE-2024-36857
published 2024-06-04

CVE-2024-36857: Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.

PriorityP274high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.05%
78.9th percentile
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.

Affected

2 ranges
VendorProductVersion rangeFixed in
homebrewjan
janhqcore0 – 0.1.11

Detection & IOCsextracted from sources · hover to see the quote

url/v1/app/readFileSync
commandPOST /v1/app/readFileSync HTTP/1.1
pathfile:/../../../../../..{{path}}
otherhttp.favicon.hash:-165268926
othericon_hash="-165268926"
  • Detect POST requests to /v1/app/readFileSync with a body containing path traversal sequences (e.g., 'file:/../') and file paths such as /etc/passwd or /Windows/win.ini.
  • Response body matching regex 'root:.*:0:0:' (Linux /etc/passwd) or '\[(font|extension|file)s\]' (Windows win.ini) with HTTP 200 and Content-Type text/plain indicates successful exploitation.
  • Use Shodan favicon hash -165268926 or FOFA icon_hash="-165268926" to identify exposed Jan v0.4.12 instances on the internet.
  • The exploit requires no authentication (PR:N, UI:N per CVSS), so any unauthenticated POST to the readFileSync endpoint with traversal payload is suspicious.
  • ·The path traversal payload uses the 'file:/' URI scheme prefix combined with '../' sequences. Detection rules must account for this non-standard traversal format rather than plain '../' sequences alone.
  • ·The vulnerability is confirmed only in Jan v0.4.12; the CPE scope is limited to this specific version.
  • ·The EPSS score of 0.53443 (97.988th percentile) indicates a very high probability of exploitation in the wild; prioritize detection and patching accordingly.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.