Hannibal0X

Name of the Vulnerable Software and Affected Versions: HKUDS LightRAG versions up to 1.3.8 Description: A critical vulnerability was found in the File Upload component of HKUDS LightRAG. The issue affects the `upload to input dir` function in the file `lightrag/api/routers/document routes.py`. The manipulation of the `file.filename` argument leads to path traversal. This attack can be launched on the local host. Recommendations: For versions up to 1.3.8, apply a patch to fix this issue. As a temporary workaround, consider restricting access to the `upload to input dir` function in the `lightrag/api/routers/document routes.py` file to minimize the risk of exploitation. Avoid using the `file.filename` argument in the affected File Upload component until the issue is resolved.