| タイトル | HKUDS LightRAG v1.3.8 Path Traversal |
|---|
| 説明 | The LightRAG framework supports the ingestion of diverse file formats, including code files (e.g., .html, .py, .sh, .java), configuration files (e.g., .ini, .conf), and database files (e.g., .sql). Within the LightRAG codebase, specifically in the file LightRAG/lightrag/api/routers/document_routes.py, the file upload functionality is implemented by the function upload_to_input_dir. At Line 802 of this file, the destination file path is constructed via the operation file_path = doc_manager.input_dir / file.filename. Crucially, the filename parameter is user-controllable input. This vulnerability enables a malicious actor to craft filenames incorporating directory traversal sequences (../). Exploiting this flaw permits the unauthorized upload of potentially malicious files to arbitrary, unintended locations within the server's filesystem hierarchy, circumventing the intended input directory constraints.Attackers can also view information pertaining to the inputs directory on the LightRAG Server Setting page. |
|---|
| ソース | ⚠️ https://github.com/HKUDS/LightRAG/issues/1692 |
|---|
| ユーザー | Hannibal0x (UID 86860) |
|---|
| 送信 | 2025年06月20日 14:31 (10 月 ago) |
|---|
| モデレーション | 2025年06月27日 12:22 (7 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 314089 [HKUDS LightRAG 迄 1.3.8 File Upload document_routes.py upload_to_input_dir file.filename ディレクトリトラバーサル] |
|---|
| ポイント | 20 |
|---|