Submeter #808260: huangjunsen0406 xiaozhi-mcphub 1.0.3 Path Traversalinformação

Títulohuangjunsen0406 xiaozhi-mcphub 1.0.3 Path Traversal
DescriçãoA path traversal vulnerability (CWE-22) exists in huangjunsen0406/xiaozhi-mcphub 1.0.3. The DXT upload handler in src/controllers/dxtController.ts extracts .dxt archives and uses the name field from the untrusted manifest.json file to construct the extraction path using path.join. Because this value is not sanitized, an authenticated attacker can use traversal sequences (e.g., ../../) to extract files to arbitrary locations outside the intended directory.
Fonte⚠️ https://github.com/huangjunsen0406/xiaozhi-mcphub/issues/29
Utilizador
 ccccccctfi (UID 97498)
Submissão20/04/2026 17h38 (há 2 meses)
Moderação07/05/2026 18h40 (17 days later)
EstadoAceite
Entrada VulDB361904 [huangjunsen0406 xiaozhi-mcphub até 1.0.3 dxtController.ts manifest.name Travessia de Diretório]
Pontos20

VoltarVisão GeralPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!