GHSA-62gx-5q78-wrvx: obsidian-local-rest-api: Authenticated path traversal via URL-encoded %2F in /vault/{path} — arbitrary host file read/write/delete
Summary
The Obsidian Local REST API plugin has a path traversal vulnerability (a flaw where attackers can access files outside the intended directory) in its `/vault/{path}` endpoints. An authenticated attacker can bypass path validation by using URL-encoded characters like `%2F` (encoded forward slash) and `%2e%2e` (encoded dots), which aren't blocked during initial routing but get decoded later, allowing them to read, write, or delete arbitrary files on the host system with the privileges of the Obsidian process.
Solution / Mitigation
Apply the same `posix.resolve(syntheticRoot, …)` plus `startsWith` confinement check that already exists in the `vaultMove` handler to all other vault handlers (GET/PUT/PATCH/POST/DELETE). Specifically, for each handler's decoded path, resolve it against a synthetic root of `/vault` and reject any result that does not equal `/vault` or start with `/vault/`, and reject any segment that decodes to `..`.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-62gx-5q78-wrvx
First tracked: July 15, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 85%