Primary

Context

Eosphoros AI Db Gpt Path Traversal Vulnerability in File Deletion API

Vulnerability

A path traversal vulnerability has been identified in Eosphoros AI Db Gpt version 0.6.0, specifically within the API endpoint '/v1/resource/file/delete'. This vulnerability allows an attacker to delete any file on the server by exploiting the 'file_key' parameter, which is not properly sanitized. By specifying arbitrary file paths, an attacker can delete files if they exist on the server.

Impact

Exploitation of this vulnerability allows for the deletion of any file on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/v1/resource/file/delete' API endpoint. Include the 'conv_uid' and 'file_key' parameters in the request body. The 'file_key' parameter should be set to the path of a file that exists on the server, such as a file in the '/tmp' directory. If the file_key points to a valid file, the application will delete it.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eosphoros AI Db Gpt Path Traversal Vulnerability in File Deletion API

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating