The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount.
The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files.
func FsRemove(c *gin.Context) {
// ...
for _, name := range req.Names {
err := fs.Remove(c, stdpath.Join(reqDir, name))
func FsCopy(c *gin.Context) {
// ...
if !req.Overwrite {
for _, name := range req.Names {
if res, _ := fs.Get(c.Request.Context(), stdpath.Join(dstDir, name), &fs.GetArgs{NoLog: true}); res != nil {
Scenario: A normal user ("alice") bypasses directory restrictions to read files outside her authorized path.
Environment setup:
https://github.com/user-attachments/assets/5d73bbec-29e5-4c52-8af3-4c70b26d9d0e
This vulnerability enables privilege escalation within shared storage environments. An authenticated attacker with basic file operation permissions (remove/copy) can bypass directory-level authorisation...
4.1.10Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:H8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H