Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 2 npm packages depend on @saltcorn/server (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.5.0-beta.0.
DescriptionGitHub Advisory
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.
AnalysisAI
Path traversal in Saltcorn's mobile sync endpoints enables remote unauthenticated attackers to write arbitrary JSON files and create directories anywhere on the server filesystem, plus read directory listings and JSON file contents. Affects all versions before 1.4.5, 1.5.0-beta.0 through 1.5.4, and 1.6.0-alpha.0 through 1.6.0-beta.3. Publicly available exploit code exists (SSVC: POC status), with EPSS probability of 0.08% (23rd percentile) indicating low widespread exploitation likelihood despite the critical impact. The vulnerability enables direct filesystem manipulation without authentication, though confidentiality impact is rated low (CVSS C:L) as only JSON files and directory listings are readable.
Technical ContextAI
Saltcorn is a no-code database application builder written in Node.js. The vulnerability stems from improper path validation (CWE-22: Path Traversal) in two mobile synchronization API endpoints. The POST /sync/offline_changes endpoint fails to sanitize user-supplied path parameters before writing changes.json files, allowing directory traversal sequences (../) to escape intended directories. Similarly, GET /sync/upload_finished lacks path validation when reading directory contents and JSON files. These endpoints are part of Saltcorn's offline-first mobile sync feature, which appears to have been designed without authentication requirements or filesystem access controls. The affected component is the web application server layer that handles HTTP requests to these specific routes, not the underlying database or file storage system itself.
RemediationAI
Upgrade immediately to patched versions: 1.4.5 for the stable 1.4.x branch, 1.5.5 for the 1.5.x series, or 1.6.0-beta.4 for users on 1.6 preview builds. Patches are available from the official Saltcorn GitHub repository and NPM registry. If immediate patching is not possible, implement network-level access controls to restrict the /sync/offline_changes and /sync/upload_finished endpoints to authenticated sessions only via reverse proxy rules (e.g., nginx location blocks requiring valid session cookies) - note this will break offline mobile sync functionality for legitimate users until patching is completed. Alternatively, disable the mobile sync feature entirely if not required for your deployment by removing or commenting out the sync route handlers in the application configuration, though this requires code modification and may not survive application restarts. Monitor web server access logs for POST requests to /sync/offline_changes and GET requests to /sync/upload_finished from unexpected IP addresses or containing directory traversal patterns (../, ..\ sequences) as indicators of exploitation attempts. Conduct filesystem integrity checks to identify any unauthorized changes.json files or directories created outside expected application data paths. Refer to the GitHub security advisory at https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292 for additional vendor guidance.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21517
GHSA-32pv-mpqg-h292