TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22)
        
  Moderate severity
        
          GitHub Reviewed
      
        Published
          Aug 8, 2025 
          in
          
            ulab-uiuc/tiny-scientist
          
          •
          Updated Aug 11, 2025 
      
  
Description
        Published by the National Vulnerability Database
      Aug 9, 2025 
    
  
        Published to the GitHub Advisory Database
      Aug 11, 2025 
    
  
        Reviewed
      Aug 11, 2025 
    
  
        Last updated
      Aug 11, 2025 
    
  
Description
A critical path traversal vulnerability (CWE-22) has been identified in the
review_paperfunction inbackend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions.Impact
This vulnerability allows attackers to:
Vulnerable Code
The issue occurs in the
review_paperfunction around line 744:Proof of Concept
Credit
This vulnerability was discovered and reported by Ruizhe.
References