FedML-AI FedML Path Traversal Vulnerability in MQTT Message Handler

A path traversal vulnerability has been identified in the FedML-AI FedML Android client, affecting versions through 0.8.9. The issue arises in the MQTT message handling component, specifically within the FileUtils.java file. The vulnerability allows an attacker to manipulate the dataSet parameter in MQTT messages, leading to unauthorized access and enumeration of directories in the application's accessible filesystem. This exploitation is possible remotely, and a public proof-of-concept is available.

Impact

Exploitation of this vulnerability allows for directory enumeration, crossing a trust boundary from the network to the local filesystem, and could potentially lead to a denial-of-service condition on the affected device.

Reproduction

To reproduce this vulnerability, publish an MQTT message containing a crafted dataSet parameter with a path traversal payload, such as '../../../../data/data/'. The FedML Android client will process the message and access unintended directories, such as the application's data directory, where sensitive information could be disclosed.

Remediation

It is recommended to validate the dataSet input to prevent path traversal, enforce canonical path restrictions, and improve MQTT security by applying authentication and strict topic access controls.