GHSA-4753-CMC8-8J9V

Vulnerability from github – Published: 2026-03-24 16:35 – Updated: 2026-03-27 21:18
VLAI?
Summary
GoDoxy has a Path Traversal Vulnerability in its File API
Details

Summary

The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required").

An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID.

Root Cause

File: internal/api/v1/file/get.go, lines 68-73:

func (t FileType) GetPath(filename string) string {
    if t == FileTypeMiddleware {
        return path.Join(common.MiddlewareComposeBasePath, filename)
    }
    return path.Join(common.ConfigBasePath, filename)
}
  • common.ConfigBasePath = "config" — relative path, not absolute
  • path.Join("config", "../certs/key.pem") normalizes to "certs/key.pem" — escaping config/
  • No call to strings.HasPrefix, filepath.Rel, or any containment check exists
  • The format:"filename" struct tag is an OpenAPI/Swagger annotation only, not enforced by the validator

Proof of Concept

Environment

  • GoDoxy v0.27.4 (ghcr.io/yusing/godoxy:latest)
  • Authentication enabled with default credentials (admin/password)

Steps to Reproduce

Step 1 — Authenticate:

Step 2 — Read file outside config/ via path traversal:

GET /api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem HTTP/1.1
Host: localhost:8888
Cookie: godoxy_token=<JWT>

HTTP Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 43
Content-Type: application/godoxy+yaml
Expires: 0
Pragma: no-cache

THIS_IS_A_SECRET_PRIVATE_KEY_FOR_AGENT_TLS

image

Impact

Files accessible via this vulnerability

Path (relative to config/) Contents Risk
../certs/agents/{host}.zip CA cert + server cert + TLS private key Impersonate GoDoxy server to remote agents
../data/oauth_refresh_tokens.json OIDC refresh tokens for all active sessions Account takeover via token reuse
../../etc/ssl/certs/ca-certificates.crt System CA certificates Information disclosure
Any file readable by UID 1000 Depends on mounted volumes Variable

The PUT /api/v1/file/content endpoint is also affected. While the content must pass YAML schema validation (config or provider format), an attacker can write valid provider YAML files outside config/, potentially injecting malicious route definitions.

Suggested Remediation

Validate that the resolved path remains within the base directory:

func (t FileType) GetPath(filename string) (string, error) {
    var base string
    if t == FileTypeMiddleware {
        base = common.MiddlewareComposeBasePath
    } else {
        base = common.ConfigBasePath
    }

    absBase, _ := filepath.Abs(base)
    resolved, _ := filepath.Abs(filepath.Join(base, filename))

    if !strings.HasPrefix(resolved, absBase+string(filepath.Separator)) {
        return "", fmt.Errorf("path traversal detected: %s", filename)
    }

    return resolved, nil
}
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/yusing/godoxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.27.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T16:35:30Z",
    "nvd_published_at": "2026-03-26T20:16:14Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`).\n\nAn authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container\u0027s UID.\n\n## Root Cause\n\n**File:** `internal/api/v1/file/get.go`, lines 68-73:\n\n```go\nfunc (t FileType) GetPath(filename string) string {\n    if t == FileTypeMiddleware {\n        return path.Join(common.MiddlewareComposeBasePath, filename)\n    }\n    return path.Join(common.ConfigBasePath, filename)\n}\n```\n\n- `common.ConfigBasePath = \"config\"` \u2014 relative path, not absolute\n- `path.Join(\"config\", \"../certs/key.pem\")` normalizes to `\"certs/key.pem\"` \u2014 escaping `config/`\n- No call to `strings.HasPrefix`, `filepath.Rel`, or any containment check exists\n- The `format:\"filename\"` struct tag is an OpenAPI/Swagger annotation only, not enforced by the validator\n\n## Proof of Concept\n\n### Environment\n\n- GoDoxy v0.27.4 (`ghcr.io/yusing/godoxy:latest`)\n- Authentication enabled with default credentials (`admin`/`password`)\n\n### Steps to Reproduce\n\n**Step 1 \u2014 Authenticate:**\n\n**Step 2 \u2014 Read file outside config/ via path traversal:**\n\n```http\nGET /api/v1/file/content?type=config\u0026filename=../certs/secret-agent-key.pem HTTP/1.1\nHost: localhost:8888\nCookie: godoxy_token=\u003cJWT\u003e\n```\n\n### HTTP Response\n\n```\nHTTP/1.1 200 OK\nCache-Control: no-cache, no-store, must-revalidate\nContent-Length: 43\nContent-Type: application/godoxy+yaml\nExpires: 0\nPragma: no-cache\n\nTHIS_IS_A_SECRET_PRIVATE_KEY_FOR_AGENT_TLS\n```\n\u003cimg width=\"1489\" height=\"286\" alt=\"image\" src=\"https://github.com/user-attachments/assets/05f3464f-20ba-4913-830d-9fcc2fa1a2e3\" /\u003e\n\n## Impact\n\n### Files accessible via this vulnerability\n\n| Path (relative to `config/`) | Contents | Risk |\n|-------------------------------|----------|------|\n| `../certs/agents/{host}.zip` | CA cert + server cert + **TLS private key** | Impersonate GoDoxy server to remote agents |\n| `../data/oauth_refresh_tokens.json` | OIDC refresh tokens for all active sessions | Account takeover via token reuse |\n| `../../etc/ssl/certs/ca-certificates.crt` | System CA certificates | Information disclosure |\n| Any file readable by UID 1000 | Depends on mounted volumes | Variable |\n\nThe `PUT /api/v1/file/content` endpoint is also affected. While the content must pass YAML schema validation (config or provider format), an attacker can write valid provider YAML files outside `config/`, potentially injecting malicious route definitions.\n\n\n## Suggested Remediation\n\nValidate that the resolved path remains within the base directory:\n\n```go\nfunc (t FileType) GetPath(filename string) (string, error) {\n    var base string\n    if t == FileTypeMiddleware {\n        base = common.MiddlewareComposeBasePath\n    } else {\n        base = common.ConfigBasePath\n    }\n\n    absBase, _ := filepath.Abs(base)\n    resolved, _ := filepath.Abs(filepath.Join(base, filename))\n\n    if !strings.HasPrefix(resolved, absBase+string(filepath.Separator)) {\n        return \"\", fmt.Errorf(\"path traversal detected: %s\", filename)\n    }\n\n    return resolved, nil\n}\n```",
  "id": "GHSA-4753-cmc8-8j9v",
  "modified": "2026-03-27T21:18:00Z",
  "published": "2026-03-24T16:35:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33528"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yusing/godoxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GoDoxy has a Path Traversal Vulnerability in its File API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.