Beszel Docker API Path Traversal Vulnerability

A path traversal vulnerability has been identified in Beszel, a server monitoring platform, prior to version 0.18.2. The issue arises in the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info. These endpoints pass the user-supplied 'container' query parameter to the agent without proper validation. The agent then constructs Docker Engine API URLs using the raw value, exposing sensitive infrastructure details. This vulnerability affects all versions through 0.18.3.

Impact

Exploitation of this vulnerability allows any authenticated user, including those with readonly roles, to access arbitrary Docker Engine API GET endpoints on all connected agent hosts. This access can expose sensitive information such as the hostname, OS version, kernel version, Docker version, container inventory, image list, network topology, storage driver configuration, and security options. This represents a privilege escalation, as readonly users should not have access to host-level infrastructure details.

Reproduction

The vulnerability can be reproduced by authenticating a user and then sending a request to the '/api/beszel/containers/info' endpoint with a crafted 'container' query parameter that includes '../' sequences. This will traverse to unintended Docker API endpoints and return sensitive information from the Docker Engine API on the agent host.

Remediation

Users can upgrade to Beszel version 0.18.4 or later, where this vulnerability has been fixed.