| Title | Dreampie Resty Framework - HttpClient Module 1.3.1.SNAPSHOT Path Traversal / Directory Traversal (CWE-22) |
|---|
| Description | A path traversal vulnerability exists in Resty Framework's HttpClient module (all versions including and prior to 1.3.1.SNAPSHOT). When the HttpClient downloads files to a directory (as opposed to a specific file path), it automatically extracts the filename from the HTTP response's Content-Disposition header without performing any path sanitization. An attacker controlling the HTTP response can inject path traversal sequences (e.g., ../) in the filename to write files to arbitrary locations on the filesystem.
This vulnerability can be exploited through multiple attack vectors including Man-in-the-Middle attacks on HTTP connections, malicious third-party API servers, compromised CDN/update servers, or lateral movement in microservice architectures. Successful exploitation can lead to remote code execution (via webshell deployment or malicious script injection), privilege escalation (via SSH key injection or systemd service installation), data exfiltration (via configuration file replacement), or denial of service (via critical file corruption).
The vulnerability is located in /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java at lines 157-178, where the filename is extracted via contentDisposition.substring(fileNameIndex + 9) and directly used in new File(fileOrDirectory, fileName) without validation. Notably, the framework's file upload handler (MultipartParser) correctly implements path traversal protection by stripping directory separators, indicating this is a security regression rather than intentional design. |
|---|
| Source | ⚠️ https://github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md |
|---|
| User | sh7err (UID 91441) |
|---|
| Submission | 11/02/2025 16:45 (6 months ago) |
|---|
| Moderation | 11/19/2025 17:59 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 332979 [Dreampie Resty up to 1.3.1.SNAPSHOT HttpClient HttpClient.java request filename path traversal] |
|---|
| Points | 20 |
|---|