MindsDB Unauthenticated Path Traversal Vulnerability in File Upload API Allowing Arbitrary File Read and Sensitive Data Exposure

A path traversal vulnerability has been identified in the MindsDB file upload API, prior to version 25.11.1. This vulnerability allows unauthenticated users to read arbitrary files from the server's filesystem and transfer them to MindsDB's storage, potentially exposing sensitive data. The issue arises because the PUT handler in file.py concatenates user-controlled data into a filesystem path without proper validation, specifically when the request body is in JSON format and the source_type is not 'url'. While multipart and URL-sourced uploads are sanitized, JSON uploads lack equivalent checks, leaving a critical gap that can be exploited.

Impact

Exploitation of this vulnerability allows any user with access to the REST API to read and exfiltrate arbitrary files accessible to the MindsDB process. This could include sensitive information such as credentials, configuration secrets, and private keys.

Reproduction

To reproduce this vulnerability, upload a file using the file upload API with a JSON request body. Include a payload that specifies an absolute file path, such as '/etc/passwd'. The API will respond with the contents of the requested file, demonstrating the path traversal and arbitrary file read capabilities.

Remediation

Users should update to MindsDB version 25.11.1 or later, where this vulnerability has been fixed.