| Title | HKUDS LightRAG v1.3.8 Path Traversal |
|---|
| Description | The LightRAG framework supports the ingestion of diverse file formats, including code files (e.g., .html, .py, .sh, .java), configuration files (e.g., .ini, .conf), and database files (e.g., .sql). Within the LightRAG codebase, specifically in the file LightRAG/lightrag/api/routers/document_routes.py, the file upload functionality is implemented by the function upload_to_input_dir. At Line 802 of this file, the destination file path is constructed via the operation file_path = doc_manager.input_dir / file.filename. Crucially, the filename parameter is user-controllable input. This vulnerability enables a malicious actor to craft filenames incorporating directory traversal sequences (../). Exploiting this flaw permits the unauthorized upload of potentially malicious files to arbitrary, unintended locations within the server's filesystem hierarchy, circumventing the intended input directory constraints.Attackers can also view information pertaining to the inputs directory on the LightRAG Server Setting page. |
|---|
| Source | ⚠️ https://github.com/HKUDS/LightRAG/issues/1692 |
|---|
| User | Hannibal0x (UID 86860) |
|---|
| Submission | 06/20/2025 14:31 (10 months ago) |
|---|
| Moderation | 06/27/2025 12:22 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 314089 [HKUDS LightRAG up to 1.3.8 File Upload document_routes.py upload_to_input_dir file.filename path traversal] |
|---|
| Points | 20 |
|---|