RomM Authenticated Path Traversal Vulnerability in Raw API Endpoint

A path traversal vulnerability has been identified in RomM, a self-hosted ROM manager and player, affecting versions prior to 3.10.3 and 4.0.0-beta.3. The vulnerability exists in the '/api/raw' endpoint, where user input is not properly sanitized before being passed to the 'FileResponse' function. This flaw allows authenticated users, including those with low privileges, to traverse directories and access sensitive files, such as the '/etc/passwd' file, which contains usernames and group IDs. The vulnerability is particularly concerning for instances exposed to the open internet, running on bare metal, in 'kiosk mode', or with many user accounts.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive files on the server, with potential leakage of usernames, group IDs, and other confidential information. In some cases, it could allow access to the '/etc/shadow' file if the server is running as root.

Reproduction

To reproduce this vulnerability, send a request to the '/api/raw/assets' endpoint with a crafted path that includes directory traversal sequences, such as '..//..'. This can be done using tools like curl or Postman. If the server is running in 'kiosk mode' or has multiple user accounts, the vulnerability can be exploited more easily.

Remediation

Users are advised to upgrade to RomM version 3.10.3 or 4.0.0-beta.3.