MindsDB Path Traversal Vulnerability in File Upload API Leading to Remote Code Execution

A path traversal vulnerability has been identified in MindsDB versions prior to 25.9.1.1, specifically within the '/api/files' interface. This vulnerability allows authenticated attackers to exploit the 'Upload File' module by sending multipart file uploads that include '../' sequences in the filename. The lack of proper security checks on the file path enables arbitrary content to be written to any location on the server. The issue arises because the file write operation occurs before the filenames are sanitized, creating a window for exploitation. Once the malicious file is uploaded, it can be used to execute arbitrary commands on the server via MindsDB's functionality.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where MindsDB is running.

Reproduction

To reproduce this vulnerability, send a PUT request to the '/api/files' endpoint with a multipart form-data payload. Include a filename that uses path traversal sequences to overwrite a file in the Python 'venv' directory, specifically targeting the 'pip/__init__.py' file. After overwriting the file, call the '/<handler_name>/install' endpoint to execute the malicious script, which can be verified by checking for the creation of a file in the '/tmp' directory.

Remediation

Users can upgrade to MindsDB version 25.9.1.1 or later, where this vulnerability has been patched.