CVE-2024-25677
📋 TL;DR
This vulnerability in Min browser versions before 1.31.0 allows local HTML files to bypass same-origin policy restrictions and access other local files. Attackers could exploit this by tricking users into opening malicious local HTML files that steal sensitive data from other local files. Only Min browser users with vulnerable versions are affected.
💻 Affected Systems
- Min Browser
📦 What is this software?
Min by Minbrowser
⚠️ Risk & Real-World Impact
Worst Case
An attacker creates a malicious HTML file that, when opened in Min, can read sensitive local files (passwords, documents, configuration files) and exfiltrate them to remote servers.
Likely Case
Local file theft through crafted HTML pages that users might open from email attachments or downloads, potentially exposing personal or work documents.
If Mitigated
With proper user education about opening untrusted files and updated browser, minimal impact as the vulnerability requires user interaction with malicious files.
🎯 Exploit Status
Exploitation requires user interaction (opening a malicious HTML file). Proof of concept is available in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.31.0
Vendor Advisory: https://github.com/minbrowser/min/security/advisories/GHSA-4w9v-7h8h-rv8x
Restart Required: Yes
Instructions:
1. Open Min browser. 2. Go to Settings > About. 3. Check for updates or manually download version 1.31.0+ from https://minbrowser.org/. 4. Install the update and restart the browser.
🔧 Temporary Workarounds
Disable local file access
allConfigure Min to block local file access or use alternative browsers for local HTML files.
Use alternative browser for local files
allOpen local HTML files in browsers not affected by this vulnerability.
🧯 If You Can't Patch
- Educate users to never open HTML files from untrusted sources in Min browser
- Implement application control to block execution of Min browser for sensitive users
🔍 How to Verify
Check if Vulnerable:
Open Min browser, go to Settings > About, check if version is below 1.31.0.Check Version:
On Linux/macOS: min --version; On Windows: Check About in browser menuVerify Fix Applied:
After updating, verify version is 1.31.0 or higher in Settings > About.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from Min browser process
- Multiple local file read attempts from HTML files
Network Indicators:
- Outbound connections from Min browser after opening local HTML files
- Data exfiltration to unusual destinations
SIEM Query:
process_name:"Min" AND file_access:"*.html" AND destination_ip:external