GoDoxy has a Path Traversal Vulnerability in its File API

Description

Summary

The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required").

An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID.

Root Cause

File: internal/api/v1/file/get.go, lines 68-73:

func (t FileType) GetPath(filename string) string {
    if t == FileTypeMiddleware {
        return path.Join(common.MiddlewareComposeBasePath, filename)
    }
    return path.Join(common.ConfigBasePath, filename)
}
  • common.ConfigBasePath = "config" — relative path, not absolute
  • path.Join("config", "../certs/key.pem") normalizes to "certs/key.pem" — escaping config/
  • No call to strings.HasPrefix, filepath.Rel, or any containment check exists
  • The format:"filename" struct tag is an OpenAPI/Swagger annotation only, not enforced by the validator

Proof of Concept

Environment

  • GoDoxy v0.27.4 (ghcr.io/yusing/godoxy:latest)
  • Authentication enabled with default credentials (admin/password)

Steps to Reproduce

Step 1 — Authenticate:

Step 2 — Read file outside config/ via path traversal:

GET /api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem HTTP/1.1
Host: localhost:8888
Cookie: godoxy_token=<JWT>

HTTP Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 43
Content-Type: application/godoxy+yaml
Expires: 0
Pragma: no-cache

THIS_IS_A_SECRET_PRIVATE_KEY_FOR_AGENT_TLS

<img width="1489" height="286" alt="image" src="https://github.com/user-attachments/assets/05f3464f-20ba-4913-830d-9fcc2fa1a2e3" />

Impact

Files accessible via this vulnerability

Path (relative to config/) Contents Risk
../certs/agents/{host}.zip CA cert + server cert + TLS private key Impersonate GoDoxy server to remote agents
../data/oauth_refresh_tokens.json OIDC refresh tokens for all active sessions Account takeover via token reuse
../../etc/ssl/certs/ca-certificates.crt System CA certificates Information disclosure
Any file readable by UID 1000 Depends on mounted volumes Variable

The PUT /api/v1/file/content endpoint is also affected. While the content must pass YAML schema validation (config or provider format), an attacker can write valid provider YAML files outside config/, potentially injecting malicious route definitions.

Suggested Remediation

Validate that the resolved path remains within the base directory:

func (t FileType) GetPath(filename string) (string, error) {
    var base string
    if t == FileTypeMiddleware {
        base = common.MiddlewareComposeBasePath
    } else {
        base = common.ConfigBasePath
    }

    absBase, _ := filepath.Abs(base)
    resolved, _ := filepath.Abs(filepath.Join(base, filename))

    if !strings.HasPrefix(resolved, absBase+string(filepath.Separator)) {
        return &quot;&quot;, fmt.Errorf(&quot;path traversal detected: %s&quot;, filename)
    }

    return resolved, nil
}

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-24 16:35:30 UTC
Updated
2026-03-27 21:18:01 UTC
GitHub reviewed
2026-03-24 16:35:30 UTC
NVD published
2026-03-26

EPSS Score

Score Percentile
0.08% 24.80%

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Credits

  • ormzro (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/yusing/godoxy < 0.27.5 0.27.5

References

cvelogic Threat Intelligence