Suse
CVE-2026-33528
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required").
An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID.
Root Cause
File: internal/api/v1/file/get.go, lines 68-73:
func (t FileType) GetPath(filename string) string {
if t == FileTypeMiddleware {
return path.Join(common.MiddlewareComposeBasePath, filename)
}
return path.Join(common.ConfigBasePath, filename)
}common.ConfigBasePath = "config"- relative path, not absolutepath.Join("config", "../certs/key.pem")normalizes to"certs/key.pem"- escapingconfig/- No call to
strings.HasPrefix,filepath.Rel, or any containment check exists - The
format:"filename"struct tag is an OpenAPI/Swagger annotation only, not enforced by the validator
Proof of Concept
Environment
- GoDoxy v0.27.4 (
ghcr.io/yusing/godoxy:latest) - Authentication enabled with default credentials (
admin/password)
Steps to Reproduce
Step 1 - Authenticate:
Step 2 - Read file outside config/ via path traversal:
GET /api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem HTTP/1.1
Host: localhost:8888
Cookie: godoxy_token=<JWT>HTTP Response
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 43
Content-Type: application/godoxy+yaml
Expires: 0
Pragma: no-cache
THIS_IS_A_SECRET_PRIVATE_KEY_FOR_AGENT_TLS<img width="1489" height="286" alt="image" src="https://github.com/user-attachments/assets/05f3464f-20ba-4913-830d-9fcc2fa1a2e3" />
Impact
Files accessible via this vulnerability
Path (relative to config/) | Contents | Risk |
|---|---|---|
../certs/agents/{host}.zip | CA cert + server cert + TLS private key | Impersonate GoDoxy server to remote agents |
../data/oauth_refresh_tokens.json | OIDC refresh tokens for all active sessions | Account takeover via token reuse |
../../etc/ssl/certs/ca-certificates.crt | System CA certificates | Information disclosure |
| Any file readable by UID 1000 | Depends on mounted volumes | Variable |
The PUT /api/v1/file/content endpoint is also affected. While the content must pass YAML schema validation (config or provider format), an attacker can write valid provider YAML files outside config/, potentially injecting malicious route definitions.
Suggested Remediation
Validate that the resolved path remains within the base directory:
func (t FileType) GetPath(filename string) (string, error) {
var base string
if t == FileTypeMiddleware {
base = common.MiddlewareComposeBasePath
} else {
base = common.ConfigBasePath
}
absBase, _ := filepath.Abs(base)
resolved, _ := filepath.Abs(filepath.Join(base, filename))
if !strings.HasPrefix(resolved, absBase+string(filepath.Separator)) {
return "", fmt.Errorf("path traversal detected: %s", filename)
}
return resolved, nil
}AnalysisAI
GoDoxy versions prior to 0.27.5 contain a path traversal vulnerability in the /api/v1/file/content API endpoint that allows authenticated attackers to read and write arbitrary files outside the intended config/ directory. An attacker with valid credentials can exploit this vulnerability to access sensitive files including TLS private keys, OAuth refresh tokens, and system certificates by manipulating the filename query parameter with ../ sequences. A proof-of-concept has been published demonstrating successful extraction of private keys, and the vulnerability carries a CVSS 6.5 score with active patch availability.
Technical ContextAI
The vulnerability exists in GoDoxy (pkg:go/github.com_yusing_godoxy), a containerized configuration and proxy management application written in Go. The root cause is improper input validation in the file content retrieval handler (internal/api/v1/file/get.go), which implements a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability. The application uses Go's path.Join() function with a relative base path (config/) combined with unsanitized user-supplied filename parameters. Since path.Join() performs path normalization without enforcing directory containment, an attacker can traverse parent directories using ../ sequences. The vulnerable code lacks any post-join validation such as filepath.Abs() comparison or strings.HasPrefix() containment checks, allowing normalization to escape the intended directory boundary.
RemediationAI
Immediately upgrade GoDoxy to version 0.27.5 or later, which implements proper path containment validation using filepath.Abs() and strings.HasPrefix() checks as described in the vendor advisory. For organizations unable to patch immediately, implement network-level access controls by restricting access to the /api/v1/file/content API endpoint to trusted internal networks only, disable password authentication in favor of multi-factor authentication or OAuth/OIDC integration to reduce compromised account risk, and audit container image registries to ensure only patched versions are deployed. Additionally, rotate any TLS private keys and OAuth refresh tokens that may have been exposed during the window of vulnerability. Detailed patch information and migration guidance are available at https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today