Penpot Arbitrary File Read Vulnerability via create-font-variant RPC Endpoint

An arbitrary file read vulnerability has been identified in Penpot, an open-source design tool, prior to version 2.13.2. The issue allows authenticated users with team edit permissions to read arbitrary files from the server's filesystem by supplying a local file path as a font data chunk in the 'create-font-variant' RPC endpoint. The file contents are then stored and can be retrieved as a 'font' asset. This vulnerability could lead to the exposure of sensitive system files, application secrets, database credentials, and private keys, potentially allowing further compromise of the server. In containerized deployments, the impact may be limited to the container filesystem, but environment variables, mounted secrets, and application configuration remain at risk.

Impact

Exploitation of this vulnerability allows for arbitrary file reading from the server's filesystem, with potential exposure of sensitive information such as application secrets, database credentials, and private keys. In containerized deployments, the impact may be confined to the container filesystem, but critical application data and secrets can still be compromised.

Reproduction

To reproduce this vulnerability, an authenticated user with team edit permissions can send a request to the 'create-font-variant' RPC endpoint. The request must include a valid team UUID, a UUID for the font variant, and the font data parameter must be crafted to include the path of the file to be read, such as '/etc/passwd'. Once the file is uploaded as a font asset, it can be downloaded through the normal font-variant retrieval process.

Remediation

Users can update to Penpot version 2.13.2 or later, where this vulnerability has been patched.