Bugsink Path Traversal Vulnerability via Unvalidated event_id Input

A path traversal vulnerability has been identified in Bugsink, a self-hosted error tracking service, affecting versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3. The vulnerability arises because ingestion paths create file locations directly from untrusted event_id input without proper validation. A specially crafted event_id can manipulate paths to traverse outside the intended directory, potentially leading to file overwriting or creation in arbitrary locations. Exploiting this vulnerability requires access to a valid DSN, which could be exposed in certain scenarios. In containerized environments, the impact is limited to the container's filesystem, while in non-containerized setups, the file overwrite could affect other accessible parts of the system.

Impact

Exploitation allows for path traversal, enabling file overwrite or creation in unintended locations. This could overwrite files in the user's accessible paths, with potential broader system impact in non-containerized Bugsink installations.

Reproduction

To reproduce this vulnerability, send an ingestion request with a crafted event_id that includes directory traversal sequences. Ensure that the event_id bypasses the default validation and is accepted by the Bugsink server. This can be done by exploiting a valid DSN that is within reach, such as one exposed in the frontend code.

Remediation

Users can update to Bugsink versions 1.7.4, 1.6.4, 1.5.5, or 1.4.3, all of which include the necessary validation and normalization of the event_id before it is used in file paths.