| Título | fastapiadmin <= 2.2.0 Path Traversal: '/absolute/pathname/here' |
|---|
| Descripción | An unrestricted file download vulnerability in FastapiAdmin (≤ 2.2.0) exists at /api/v1/common/file/download (files: /backend/app/api/v1/module_common/file/controller.py, /backend/app/api/v1/module_common/file/service.py, /backend/app/utils/upload_util.py) where the download endpoint accepts an arbitrary file_path parameter, performs no path sanitization or canonicalization, and uses Path(file_path) directly to open and stream files; as a result, any user granted the module_common:file:download permission can supply absolute paths or traversal payloads to read sensitive server files (for example /etc/passwd or private keys), enabling information disclosure and further attacks—mitigations include enforcing strict path validation and canonicalization, restricting downloads to a safe upload directory or mapping logical IDs to files, disallowing absolute paths and traversal sequences, validating permissions per-file, and serving files via a controlled safe API or signed, short-lived download tokens. |
|---|
| Fuente | ⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-2 |
|---|
| Usuario | Anonymous User |
|---|
| Sumisión | 2026-02-11 06:33 (hace 3 meses) |
|---|
| Moderación | 2026-02-22 16:09 (11 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 347360 [FastApiAdmin hasta 2.2.0 Download Endpoint controller.py download_controller file_path divulgación de información] |
|---|
| Puntos | 20 |
|---|