GHSA-QMJ2-8R24-XXCQ

Vulnerability from github – Published: 2026-02-02 20:01 – Updated: 2026-02-03 16:13
VLAI?
Summary
OpenList vulnerable to Path Traversal in file copy and remove handlers
Details

Summary

The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount.

Details

The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files.

FsRemove:

func FsRemove(c *gin.Context) {
    // ...
    for _, name := range req.Names {
        err := fs.Remove(c, stdpath.Join(reqDir, name))

FsCopy:

func FsCopy(c *gin.Context) {
    // ...
    if !req.Overwrite {
        for _, name := range req.Names {
            if res, _ := fs.Get(c.Request.Context(), stdpath.Join(dstDir, name), &fs.GetArgs{NoLog: true}); res != nil {

PoC

Scenario:​ A normal user ("alice") bypasses directory restrictions to read files outside her authorized path.

Environment setup: - Local storage mount as '/local'. - An admin file "adminsecret.txt" is placed under /local - Alice has base path '/local/alice'.

https://github.com/user-attachments/assets/5d73bbec-29e5-4c52-8af3-4c70b26d9d0e

Impact

This vulnerability enables privilege escalation within shared storage environments. An authenticated attacker with basic file operation permissions (remove/copy) can bypass directory-level authorisation controls when multiple users exist within the same storage mount.

Attack Requirements: - Authenticated user account (not guest) - Basic file operation permissions (remove/copy) - Multi-user environment within the same storage mount - Knowledge (or ability to guess) the target file's name and path

Consequences: - Unauthorised data access: Read, copy, and exfiltrate files from other users' directories - Data destruction: Delete files belonging to other users

Note

This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine

CVE and credit are preferred.

If users have any questions regarding the vulnerability details, please feel free to reach out for further discussion. Email xlabai@tencent.com.

The security industry standard 90+30 disclosure policy is followed. Should the aforementioned vulnerabilities remain unfixed after 90 days of submission, all information about the issues will be publicly disclosed.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/OpenListTeam/OpenList/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T20:01:30Z",
    "nvd_published_at": "2026-02-02T23:16:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount.\n\n### Details\nThe application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers in *server/handles/fsmanage.go*. Filename components in `req.Names` are directly concatenated with validated directories using `stdpath.Join`. This allows \"..\" sequences to bypass path restrictions, enabling users to access other users\u0027 files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files.\n\n[FsRemove](https://github.com/OpenListTeam/OpenList/blob/5db2172ed681346b69ed468c73c1f01b6ed455ea/server/handles/fsmanage.go#L284-L285):\n~~~\nfunc FsRemove(c *gin.Context) {\n\t// ...\n\tfor _, name := range req.Names {\n\t\terr := fs.Remove(c, stdpath.Join(reqDir, name))\n~~~\n\n[FsCopy](https://github.com/OpenListTeam/OpenList/blob/5db2172ed681346b69ed468c73c1f01b6ed455ea/server/handles/fsmanage.go#L163-L164):\n~~~\nfunc FsCopy(c *gin.Context) {\n\t// ...\n\tif !req.Overwrite {\n\t\tfor _, name := range req.Names {\n\t\t\tif res, _ := fs.Get(c.Request.Context(), stdpath.Join(dstDir, name), \u0026fs.GetArgs{NoLog: true}); res != nil {\n~~~\n\n\n### PoC\nScenario:\u200b A normal user (\"alice\") bypasses directory restrictions to read files outside her authorized path.\n\nEnvironment setup:\n- Local storage mount as \u0027/local\u0027.\n- An admin file \"adminsecret.txt\" is placed under /local\n- Alice has base path \u0027/local/alice\u0027.\n\n\nhttps://github.com/user-attachments/assets/5d73bbec-29e5-4c52-8af3-4c70b26d9d0e\n\n\n\n### Impact\nThis vulnerability enables privilege escalation within shared storage environments. An authenticated attacker with basic file operation permissions (remove/copy) can bypass directory-level authorisation controls when multiple users exist within the same storage mount.\n\nAttack Requirements:\n- Authenticated user account (not guest)\n- Basic file operation permissions (remove/copy)\n- Multi-user environment within the same storage mount\n- Knowledge (or ability to guess) the target file\u0027s name and path\n\nConsequences:\n- Unauthorised data access: Read, copy, and exfiltrate files from other users\u0027 directories\n- Data destruction: Delete files belonging to other users\n\n### Note\n\nThis vulnerability was discovered by:\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine\n\nCVE and credit are preferred.\n\nIf users have any questions regarding the vulnerability details, please feel free to reach out for further discussion. Email [xlabai@tencent.com](mailto:xlabai@tencent.com).\n\nThe security industry standard [90+30 disclosure policy](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html) is followed. Should the aforementioned vulnerabilities remain unfixed after 90 days of submission, all information about the issues will be publicly disclosed.",
  "id": "GHSA-qmj2-8r24-xxcq",
  "modified": "2026-02-03T16:13:21Z",
  "published": "2026-02-02T20:01:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25059"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenListTeam/OpenList"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList/blob/5db2172ed681346b69ed468c73c1f01b6ed455ea/server/handles/fsmanage.go#L163-L164"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList/blob/5db2172ed681346b69ed468c73c1f01b6ed455ea/server/handles/fsmanage.go#L284-L285"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenList vulnerable to Path Traversal in file copy and remove handlers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.