Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability
- Severity:
- High
Description
A logged-in user with any role can delete arbitrary files on the filesystem by calling the sync/clean_sync_dir endpoint. The dir_name POST parameter is not validated/sanitized and is used to construct the syncDir that is deleted by calling fs.rm.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.0.0-beta.15
- Patched version(s): 1.0.0-beta.16
References
Related Issues
- SillyTavern: Path Traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user - CVE-2026-34524
- Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
- Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory - CVE-2026-30848
- SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
You might also like:
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on October 08, 2024