Overview
This article details a critical path traversal vulnerability, identified as CVE-2025-51661, affecting FileCodeBox version 2.2 and earlier. This vulnerability allows unauthenticated remote attackers to write arbitrary files to the server’s filesystem when the application is configured to use local filesystem storage. By exploiting this flaw, attackers can potentially overwrite critical system files, inject malicious code, and compromise the entire server.
Technical Details
The vulnerability resides within the SystemFileStorage.save_file method in core/storage.py. The application fails to properly sanitize filenames provided by user input when constructing the save path. Specifically, filenames with malicious traversal sequences (e.g., ../) are not validated, allowing attackers to escape the intended upload directory.
The attack is triggered through the /share/file/upload endpoint, which, crucially, does not require any authentication. By sending a crafted POST request to this endpoint with a specially crafted filename, an attacker can write files to any location on the server accessible to the application’s user account.
Here’s a simplified illustration of the vulnerable code:
# core/storage.py (Vulnerable Code - Simplified)
import os
def save_file(upload_dir, filename, file_content):
save_path = os.path.join(upload_dir, filename) # NO VALIDATION HERE!
with open(save_path, 'wb') as f:
f.write(file_content)
CVSS Analysis
Due to the lack of assigned CVSS score by NVD, a CVSS analysis is not available. However, given the impact described below, and the ability for unauthenticated users to write arbitrary files, the score would likely be in the Critical range (9.0-10.0) if scored.
Possible Impact
The potential impact of CVE-2025-51661 is severe. An attacker could:
- Overwrite critical system files: Leading to denial of service or complete system compromise.
- Inject malicious code: Inserting backdoors or malware to gain persistent access and control over the server.
- Read sensitive data: Potentially read configuration files or other sensitive information located on the server.
- Achieve Remote Code Execution (RCE): By uploading and executing a malicious script, an attacker could gain complete control over the server.
Mitigation and Patch Steps
To mitigate this vulnerability, the following steps should be taken:
- Upgrade FileCodeBox: Upgrade to a patched version of FileCodeBox that addresses this vulnerability. Check the FileCodeBox GitHub repository for updates.
- Input Validation: Implement strict input validation on filenames received from users. Sanitize filenames to remove or encode any potentially malicious characters, especially traversal sequences like
../and..\. - Path Normalization: Use path normalization functions to resolve relative paths and ensure that the final save path remains within the intended upload directory.
- Principle of Least Privilege: Ensure that the application runs with the minimum necessary privileges to access the filesystem.
- Web Application Firewall (WAF): Implement a WAF to detect and block malicious requests targeting the upload endpoint.
