adenhq Hive Path Traversal Vulnerability in Delete Request Handler Allowing Arbitrary Directory Deletion

A path traversal vulnerability has been identified in adenhq Hive versions prior to 0.11.0. The issue resides in the Delete Request Handler within the function _read_events_tail, located in core/framework/server/routes_sessions.py. This vulnerability allows an unauthenticated attacker to manipulate the session_id parameter, escaping the intended directory and arbitrarily deleting files or directories on the host system that the application process can access. The vulnerability can be exploited remotely, and the details of the exploitation have been made public.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary directory deletion, which can lead to significant data loss and a denial-of-service condition by disrupting application dependencies or configurations.

Reproduction

To reproduce this vulnerability, send a DELETE request to the session history API endpoint, including a URL-encoded path traversal payload that escapes the intended session directory. The payload should traverse up the directory structure and append a target directory or file that the application process has permission to delete. After the request is processed, verify that the targeted directory or file has been successfully removed from the filesystem.