The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount.
The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers (server/handles/fsmanage.go, server/handles/fsbatch.go, etc.). Filename components in req.Names, renameObject.SrcName, and renameObject.NewName are directly concatenated with validated directories using stdpath.Join() or fmt.Sprintf(). This allows ".." sequences to bypass path restrictions, enabling users to access other users' files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files.
func FsRemove(c *gin.Context) {
// ...
for _, name := range req.Names {
err := fs.Remove(c, stdpath.Join(reqDir, name))
func FsCopy(c *gin.Context) {
// ...
for i, name := range req.Names {
t, err := fs.Copy(c, stdpath.Join(srcDir, name), dstDir, len(req.Names) > i+1)
func FsBatchRename(c *gin.Context) {
// ...
for _, renameObject := range req.RenameObjects {
filePath := fmt.Sprintf("%s/%s", reqPath, renameObject.SrcName) // Vulnerable concatenation ✗
fs.Rename(c, filePath,...
3.57.0Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:HA:H8.8/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H