CVE-2026-49338 - gonic playlist path traversal

gonic before 0.21.0 can allow path traversal through Subsonic playlist handlers. Crafted playlist paths can reach filesystem content outside the intended media library boundary.

Affected versions

  • Vulnerable: sentriz/gonic <0.21.0
  • Fixed: 0.21.0+

Remediation strategy

  • Upgrade to 0.21.0+.
  • Normalize playlist paths, reject absolute paths and traversal segments, and verify the final resolved path stays under the intended playlist root.
  • Re-check any custom forks or wrappers around playlist handlers.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-49338 / GHSA-hmgp-w9jm-vp95 in gonic. Produce either a
reviewer-ready PR that upgrades gonic, hardens playlist path containment, and
adds regression tests, or TRIAGE.md if this repository does not control the
affected gonic runtime or fork.

Steps:
1. Inventory gonic modules, forks, images, and playlist handlers.
2. Upgrade every controlled version to 0.21.0+.
3. Add or verify final-path containment for playlist operations.
4. Add regression tests for traversal payloads.
5. Use PR title `fix(sec): remediate gonic playlist path traversal`.

Verification

  • No controlled gonic runtime remains below 0.21.0.
  • Playlist handlers reject traversal payloads and stay under the intended root.

References