Advisories

Arbitrary file read vulnerability in Hackerrank

Trung Nguyen

Hacker. Builder. Educator. On a mission to make the internet safer.|April 5, 2023

Reading Time: 2 minutes

Arbitrary file read vulnerability in Hackerrank

Summary

HackerRank is a technical hiring platform that helps businesses evaluate software developers based on skill. I found several its website can be attacked to read arbitrary files.

Details

Most websites of Hackerrank use Ruby on Rails (RoR) as their backend. Unfortunately, its recent versions are vulnerable to a file content disclosure vulnerability (CVE-2019-5418). By using path traversal in Accept field of HTTP Request, we can read arbitrary files in remote servers.

Examples of how to exploit this vulnerability

I found that two websites of Hackerrank are affected by this flaw including https.www.hackerrank.com and codepair.hackerrank.com.

I just got /etc/passwd as a PoC. However, according to another research, we can perform a remote code execution attack by combining CVE-2019-5418 and CVE-2019-5420.

Timeline

Apr 26, 2019 – I contacted the support team to establish a secure channel with the security team

Apr 30, 2019 – The CTO of Hackerrank responded and I provided details

Apr 30, 2019 – Hackerrank team confirmed the vulnerability.

May 13, 2019 – Hackerrank responded that the flaw has been completely fixed and can be disclosed. No bounty was offered, but a t-shirt may come.

May 30, 2019 – The t-shirt is delivered.

CVE-2025-59837 Analysis: How I Bypassed an Astro Security Patch

November 19 2025|Advisories

Reading Time: 2 minutes CyStack Advisory ID CSA-2025-01 CVE IDs CVE-2025-59837 Severity High CVSS v3 Base 7.2 Recently, I analyzed a security patch released by the Astro team for a Server-Side Request Forgery (SSRF) vulnerability. My investigation revealed that the fix was incomplete, leading to the discovery of CVE-2025-59837 This research not only highlighted a critical flaw […]

Stored XSS leads to account takeover in Flarum

November 19 2022|Advisories

Reading Time: 2 minutesCyStack Advisory ID CSA-2022-01 CVE IDs CVE-2022-41938 Severity Critical CVSS v3 Base 9.0 Synopsis CyStack’s researchers recently discovered a Stored XSS vulnerability in the Flarum platform version 1.5.0 to 1.6.1 which can lead to an account takeover attack. Flarum is a widely used simple and open-source forum platform. At the time of this post, we […]

Cyclos < 4.14.15 – Remote code execution

June 24 2022|Advisories

Reading Time: 3 minutesCyStack Advisory ID CSA-2021-01 CVE IDs CVE-2021-44832 Severity Critical CVSS v3 Base 10.0 Synopsis Cyclos is a payment software created for banks, barters, remittances, and innovative currency systems. Cyclos is used by more than 1500 payment systems worldwide. CyStack recently found that Cyclos versions prior to 4.14.15 are vulnerable to the remote code execution vulnerability. […]

CyStack Intelligent Products

CyStack VulnScan

Locker Secrets Manager

SafeChain Blockchain Security

Locker Password Manager

CyStack Endpoint

WhiteHub Bug Bounty

CyStack Trust Center

CyStack Data Leak Detection

By Use Case

By Industry

Looking for something?

Table of Contents

Subscribe for weekly updates

Share

Arbitrary file read vulnerability in Hackerrank

Summary

Details

Timeline

Related posts

CVE-2025-59837 Analysis: How I Bypassed an Astro Security Patch

Stored XSS leads to account takeover in Flarum

Cyclos < 4.14.15 – Remote code execution

CyStack and Cookies

VietNam Office

Canada Office

Audit

Security Operations

Data Security

Security Compliance

Blockchain Security

Company

Resources