CVE-2025-51661

Name of the Vulnerable Software and Affected Versions FileCodeBox versions prior to 2.3

Description A path traversal issue exists in FileCodeBox that allows for arbitrary file writes. This occurs when the application is configured to use local filesystem storage. The SystemFileStorage.save file function within core/storage.py utilizes filenames from user input without proper validation to create the save path, leading to potential file writing outside the intended directory. Attackers can exploit this by sending crafted POST requests containing malicious traversal sequences to the /share/file/upload API endpoint. This endpoint does not require authorization, enabling remote attackers to perform arbitrary file writes.

Recommendations Update FileCodeBox to version 2.3 or later. As a temporary workaround, restrict access to the /share/file/upload API endpoint. Ensure proper validation of filenames received from user input before constructing file paths.