Skip to content

LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement

High severity GitHub Reviewed Published Jul 3, 2025 in lf-edge/ekuiper • Updated Jul 3, 2025

Package

gomod github.com/lf-edge/ekuiper (Go)

Affected versions

<= 1.14.7

Patched versions

None
gomod github.com/lf-edge/ekuiper/v2 (Go)
< 2.2.0
2.2.0

Description

Summary

Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

Details

The file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and replace the files owned by kuiper user on the filesystem. The vulnerable function is fileUploadHandler which is shown below:

https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359

Exploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by kuiper user:

kuiper binaries

PoC

  1. The files should be uploaded to /kuiper/data/uploads directory. So let's move to the /kuiper/data, examine the existing files and create an empty traversal-poc file owned by kuiper:

Preparation

  1. Now, we can go to Services > Configuration > File Management and try to upload file with name ../test:

GUI

Request in Burp

In the response we can see the path of the uploaded file and can assume that the traversal worked.

  1. Now we can try to change the traversal-poc file that we know exists on the server. It can be made with the following request:

traversal-poc change

  1. Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:

Changed files

Impact

  • Possibility to upload files to external directories;
  • Possibility to rewrite any file owned by kuiper user on the filesystem.

Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone

References

@ngjaying ngjaying published to lf-edge/ekuiper Jul 3, 2025
Published to the GitHub Advisory Database Jul 3, 2025
Reviewed Jul 3, 2025
Last updated Jul 3, 2025

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-fv2p-qj5p-wqq4

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.