Banana Slides Path Traversal Vulnerability in AI Service Backend

A path traversal vulnerability has been identified in Banana Slides version 0.4.0, within the AI service backend's generate_image() function. This vulnerability allows unauthenticated attackers to read arbitrary image files from outside the designated uploads directory. The issue arises from an inadequate path prefix check that fails to account for trailing separators, enabling exploitation by crafting markdown image references in user-controlled page descriptions. Attackers can manipulate the references to access sibling directories that share the uploads folder prefix, bypassing directory confinement and causing the application to read files from unintended locations using PIL's Image.open() function.

Impact

Exploitation of this vulnerability allows for arbitrary file reading from any directory whose absolute path begins with the uploads directory path, excluding the uploads directory itself. In the default Docker deployment, this includes sibling directories such as uploads_backup, uploads_tmp, and uploads_secret. The read files are processed server-side in a background thread, and while only valid image files can be successfully opened, error messages for non-image files may inadvertently leak information about the existence of those files.

Reproduction

To reproduce this vulnerability, upload a file into a sibling directory of the default uploads directory. Then, create a new project and page in Banana Slides. Inject a markdown image reference in the page description that points to the crafted file in the sibling directory, ensuring the reference escapes the uploads directory. Finally, trigger the image generation process, which will read the file via the vulnerable path traversal check before the AI API call is made.

Remediation

Users can update to Banana Slides version 0.4.1 or later, where this vulnerability has been patched.