GHSA-x4q4-7phh-42j9

Опубликовано: 04 фев. 2026

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Alist vulnerable to Path Traversal in multiple file operation handlers

Summary

The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount.

Details

The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers (server/handles/fsmanage.go, server/handles/fsbatch.go, etc.). Filename components in req.Names, renameObject.SrcName, and renameObject.NewName are directly concatenated with validated directories using stdpath.Join() or fmt.Sprintf(). This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files.

FsRemove:

func FsRemove(c *gin.Context) { // ... for _, name := range req.Names { err := fs.Remove(c, stdpath.Join(reqDir, name))

FsCopy:

func FsCopy(c *gin.Context) { // ... for i, name := range req.Names { t, err := fs.Copy(c, stdpath.Join(srcDir, name), dstDir, len(req.Names) > i+1)

FsBatchRename:

func FsBatchRename(c *gin.Context) { // ... for _, renameObject := range req.RenameObjects { filePath := fmt.Sprintf("%s/%s", reqPath, renameObject.SrcName) // Vulnerable concatenation ✗ fs.Rename(c, filePath, renameObject.NewName) } }

PoC

Environment setup:

Storage mount '/shared' configured with multiple users.
Alice has base path '/shared/alice'.
Admin has base path '/shared/admin' with private files.
Both users operate within the same storage mount.

Craft Malicious Request: Alice sends a POST request to /api/fs/remove containing a filename with '../' in it.

curl -X POST -H "Content-Type: application/json" -d '{"dir":"/","names":["../admin/private.txt"]}' http://localhost:5244/api/fs/remove

Admin's file is deleted without Alice having authorisation for Admin's directory.

Video

Impact

This vulnerability enables privilege escalation within shared storage environments. An authenticated attacker with basic file operation permissions (remove/rename/copy/move) can bypass directory-level authorisation controls when multiple users exist within the same storage mount.

Attack Requirements:

Authenticated user account (not guest)
Basic file operation permissions
Multi-user environment within the same storage mount

Consequences:

Unauthorised data access: Read, copy, and exfiltrate files from other users' directories
Data destruction: Delete or rename files belonging to other users
Access control bypass: Circumvent directory isolation mechanisms
Integrity violation: Modify or move files across user boundaries

Credit

This vulnerability was discovered by:

XlabAI Team of Tencent Xuanwu Lab
Atuin Automated Vulnerability Discovery Engine

If there are questions regarding the vulnerability details, please feel free to reach out for further discussion at xlabai@tencent.com.

Ссылки

Пакеты

Наименование

github.com/alist-org/alist/v3

Затронутые версииВерсия исправления

< 3.57.0

3.57.0

EPSS

Процентиль: 16%

0.0005

Низкий

8.8 High

CVSS3

CVE ID

CVE-2026-25161

Дефекты

CWE-22

Связанные уязвимости

CVE-2026-25161

CVSS3: 8.8

nvd

2 дня назад

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0.

EPSS

Процентиль: 16%

0.0005

Низкий

8.8 High

CVSS3

CVE ID

CVE-2026-25161

Дефекты

CWE-22