| Title | fastapiadmin <= 2.2.0 Path Traversal: '/absolute/pathname/here' |
|---|
| Description | An unrestricted file download vulnerability in FastapiAdmin (≤ 2.2.0) exists at /api/v1/common/file/download (files: /backend/app/api/v1/module_common/file/controller.py, /backend/app/api/v1/module_common/file/service.py, /backend/app/utils/upload_util.py) where the download endpoint accepts an arbitrary file_path parameter, performs no path sanitization or canonicalization, and uses Path(file_path) directly to open and stream files; as a result, any user granted the module_common:file:download permission can supply absolute paths or traversal payloads to read sensitive server files (for example /etc/passwd or private keys), enabling information disclosure and further attacks—mitigations include enforcing strict path validation and canonicalization, restricting downloads to a safe upload directory or mapping logical IDs to files, disallowing absolute paths and traversal sequences, validating permissions per-file, and serving files via a controlled safe API or signed, short-lived download tokens. |
|---|
| Source | ⚠️ https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-2 |
|---|
| User | Anonymous User |
|---|
| Submission | 02/11/2026 06:33 (5 months ago) |
|---|
| Moderation | 02/22/2026 16:09 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 347360 [FastApiAdmin up to 2.2.0 Download Endpoint controller.py download_controller file_path information disclosure] |
|---|
| Points | 20 |
|---|