CVE-2022-45299

CRITICAL

webbrowser < 0.8.3 - Path Traversal via IpFile Argument

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-45299. PoCs published by offalltn.

AI-analyzed exploit summary The repository describes CVE-2022-45299, a vulnerability in webbrowser.rs before 0.8.3 where improper URL validation allows arbitrary local file access or command execution via shellExecuteW on Windows. The PoC is documented with screenshots but lacks executable code.

Description

An issue in the IpFile argument of rust-lang webbrowser-rs v0.8.2 allows attackers to access arbitrary files via supplying a crafted URL.

Exploits (1)

nomisec WRITEUP 1 stars

by offalltn · poc

https://github.com/offalltn/CVE-2022-45299

View Code ZIP pw:eip

The repository describes CVE-2022-45299, a vulnerability in webbrowser.rs before 0.8.3 where improper URL validation allows arbitrary local file access or command execution via shellExecuteW on Windows. The PoC is documented with screenshots but lacks executable code.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: webbrowser.rs < 0.8.3

No auth needed

Prerequisites: Unfiltered input passed to webbrowser::open()

MITRE ATT&CK

T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/offalltn/CVE-2022-45299

Scores

CVSS v3 9.8

EPSS 0.0130

EPSS Percentile 80.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (2)

crates.io/webbrowser 0 - 0.8.3crates.io

webbrowser_project/webbrowser < 0.8.3

Published Jan 13, 2023

Tracked Since Feb 18, 2026