Uhhm…
I’m not sure that it’s correct calling this a security problem - maybe even misleading.
passwd intentionally is a publicly readable unix file. See this short article about the purpose of passwd. Maybe someone who knows this stuff better (me I only can ‘guess educatedly’) can comment.
In any case: access to the local file system from Browser is a (necessary) feature, not a security issue (but this most probably is a no-brainer).