## Path Traversal Vulnerability in stock-bot Dashboard Exposes Arbitrary File Read Risk A high-severity security review of a recent commit to the open-source repository stock-bot has flagged a critical path traversal flaw in its telemetry dashboard. The vulnerability, identified in `dashboard.py` at lines 7248–7298, resides in the `/api/telemetry/latest/computed` endpoint. The endpoint accepts a client-supplied `name` query parameter and passes it directly into a file path construction using `comp_dir / str(fn)`, with only a superficial `.endswith(".json")` validation applied. Security researchers warn that this pattern permits an attacker to craft requests such as `../../../etc/passwd.json` or `../../.env.json`, potentially escaping the intended directory and reading arbitrary JSON files on the host system. No `resolve()` call or parent-directory containment check is applied to sanitize the input. The findings were surfaced during a full-tree security scan triggered by push `4889bc583caadb5a306736ce030994545418f4fe`, which addressed a separate issue involving seed continuous PnL ledger handling for empty or newline-only files. The two modified files — `scripts/telemetry/seed_continuous_pnl_ledger.py` and `telemetry/continuous_pnl_ledger.py` — were cleared as clean by reviewers, suggesting the introduced changes did not directly introduce the flaw. However, the scan revealed that the vulnerable path construction pattern was already present in the codebase, exposing any deployment of the telemetry dashboard to potential information disclosure. The repository, maintained under the GitHub handle `mlevitan96-crypto`, remains active with recent commits addressing operational bugs in PnL ledger management. The path traversal finding raises urgent pressure on maintainers to implement proper path sanitization — specifically replacing the weak suffix check with a robust containment validation — before the dashboard is deployed in any production environment. Until patched, any instance exposing the telemetry endpoint could be leveraged by an authenticated or unauthenticated actor to read sensitive configuration files, environment variables, or other internal JSON artifacts accessible to the server process. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: path-traversal, security-vulnerability, code-review, telemetry, dashboard - **Credibility**: unverified - **Published**: 2026-04-23 23:54:17 - **ID**: 76565 - **URL**: https://whisperx.ai/en/intel/76565