FlintSH Flare Next.js Application Path Traversal Vulnerability in Avatar API Endpoint

A path traversal vulnerability has been identified in the FlintSH Flare file sharing platform, specifically in versions prior to 1.7.3. The vulnerability allows authenticated users to read arbitrary files from the application container via the '/api/avatars/[filename]' endpoint. The issue arises because the 'filename' URL parameter is passed to 'path.join()' without proper sanitization, and the 'getFileStream()' function lacks path validation. This oversight enables '%2F'-encoded '../' sequences to escape the 'uploads/avatars/' directory, accessing any file under '/app/' that is readable by the Next.js process. While authentication is enforced by Next.js middleware, instances with open registration enabled (the default) can be exploited by any self-registered user.

Impact

Exploitation of this vulnerability allows for unauthorized file access, including sensitive application files and database schemas, which could lead to further attacks such as SQL injection.

Reproduction

To reproduce this vulnerability, first register an account on a Flare instance with open registration enabled. After logging in, send a request to the '/api/avatars/[filename]' endpoint with a '%2F'-encoded '../' sequence in the 'filename' parameter. The 'getFileStream()' function will process the request without proper validation, allowing access to files outside the intended directory.

Remediation

Users can update to Flare version 1.7.3 or later, where this vulnerability has been fixed.