Ropshade

**Name of the Vulnerable Software and Affected Versions** Flare versions prior to 1.7.3 **Description** Flare is a Next.js-based, self-hostable file sharing platform. A path traversal issue exists in the `/api/avatars/[filename]` endpoint, allowing authenticated users to read arbitrary files within the application container. The `filename` URL parameter is passed to `path.join()` without proper sanitization, and the `getFileStream()` function does not validate the path. This enables the use of encoded `../` sequences to escape the `uploads/avatars/` directory and access any file accessible to the Next.js process under `/app/`. Authentication is enforced by Next.js middleware, but open registration (the default setting) allows attackers to self-register and exploit the issue. The vulnerable parameter is `filename`. **Recommendations** Update Flare to version 1.7.3 or later.