Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service.
Details
The file deletion logic fails to correctly validate and normalize paths containing URL-encoded traversal sequences such as ..%252F.
When such input is processed, the internal path resolution logic attempts to clamp the path into the allowed configuration directory. Instead of rejecting the traversal attempt, the clamping mechanism resolves the path to the base Nginx configuration directory itself.
Because the deletion handler invokes os.RemoveAll, which recursively removes directories, this results in the deletion of the entire /etc/nginx directory.
This behavior creates a dangerous interaction between path normalization and deletion logic:
- Traversal sequences are not rejected.
- Double-encoding (
..%252F) is used to bypass initial shallow filters. - The clamping mechanism resolves malicious paths to the base configuration directory.
- The deletion handler recursively deletes the resolved path.
As a result, an attacker can trigger deletion of the entire Nginx configuration directory instead of being blocked by path validation logic.
Root Cause
The vulnerability results from a combination of design flaws:
- Improper Path Canonicalization: URL-encoded traversal sequences are not properly rejected.
- Unsafe Fallback Logic: The
GetConfPathclamping mechanism returns the base configuration directory when traversal is detected instead of rejecting the request. - Unsafe Deletion Primitive: The deletion handler invokes
os.RemoveAll, which recursively deletes directories without additional safeguards. (delete.go)
// Delete the file or directory
err = os.RemoveAll(fullPath)
if err != nil {
cosy.ErrHandler(c, err)
return
}This interaction causes the deletion operation to target the most sensitive directory when a traversal attempt occurs.
Environment
- Server OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)
- Nginx UI Version: nginx-ui v2.3.3
- Deployment: Docker / Default installation
Proof of Concept
Steps to Reproduce
- Log into nginx-ui.
- Go to Manage Configs and create a Folder named *..%252F..%252F..%252F..%252Ftest*
<img width="1608" height="559" alt="image" src="https://github.com/user-attachments/assets/738d7d65-7e13-48fa-affc-d5509c43900f" />
- Observe that the backend resolves the path to /etc/nginx..
- Now lets create a file called *testing*.
- Save it and rename it to *..%252F..%252F..%252F..%252Ftest* (It is not possible to create it directly with the payload name so we have to rename it)
- Go back to manage configs and Click Delete to remove the file we just created.
- Check that there is an error:
<img width="1578" height="696" alt="image" src="https://github.com/user-attachments/assets/51a36310-0676-4fe5-b80c-e0199498efbf" />
- Reload the website and check that the /etc/nginx folder has been completely removed:
<img width="1313" height="722" alt="image" src="https://github.com/user-attachments/assets/0a9ddd1b-786b-4cf2-8abd-1dc6f3a77807" />
Impact
An authenticated user capable of invoking the configuration deletion endpoint can trigger the recursive deletion of the entire Nginx configuration directory (/etc/nginx).
This results in:
- Immediate failure of the Nginx service due to missing configuration files.
- Loss of all Nginx configuration managed by nginx-ui.
- Denial of Service for all web services relying on the affected Nginx instance.
As the deletion operation uses a recursive filesystem call, the entire configuration directory is removed, leaving the system unable to restart Nginx until the configuration is manually restored.
A patched version is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.
AnalysisAI
Authenticated users in nginx-ui v2.3.3 and earlier can delete the entire /etc/nginx configuration directory via path traversal using double-encoded sequences (..%252F), causing immediate Nginx service failure and denial of service. The vulnerability exploits improper URL canonicalization combined with unsafe recursive deletion logic that resolves malicious paths to the base configuration directory instead of rejecting them.
Technical ContextAI
nginx-ui is a web-based management interface for Nginx written in Go. The vulnerability resides in the file deletion handler (delete.go) and path normalization logic (GetConfPath function). The root cause is a combination of three design flaws: (1) URL-encoded traversal sequences like ..%252F bypass initial shallow filters through double-encoding; (2) the path clamping mechanism designed to constrain operations to the configuration directory instead returns the base directory (/etc/nginx) when traversal is detected rather than rejecting the request; (3) the deletion handler invokes os.RemoveAll, which recursively deletes entire directory trees without additional safeguards. This interaction violates the principle of defense-in-depth by using an unsafe fallback behavior (returning the base directory) when security validation fails, creating a critical failure mode. The CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) classification reflects the fundamental path traversal flaw combined with the unsafe consequence of that flaw.
RemediationAI
Upgrade nginx-ui to version v2.3.4 or later immediately. The patched release is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4. For deployments unable to upgrade immediately, restrict access to the nginx-ui web interface to trusted administrators only, implement network-level access controls to limit who can reach the management endpoint, and consider disabling the configuration deletion feature if not actively required. Verify that Nginx configuration backups exist and are regularly maintained, as recovery from a deleted /etc/nginx directory requires manual restoration. Review audit logs for any evidence of exploitation, particularly successful delete operations on configuration paths.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17151
GHSA-m8p8-53vf-8357