Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable gateway with low-complexity '..' payload; PR:L reflects that S3/Iceberg requests are normally authenticated, and cross-bucket read/write gives high C and I with no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as GET /bucket-A/../evil-bucket/key, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.
AnalysisAI
Cross-bucket read/write in SeaweedFS before 4.30 lets remote attackers escape a bucket's namespace because the S3 API gateway and the Iceberg REST catalog gateway build their gorilla/mux routers with SkipClean(true), letting a literal '..' segment survive routing before downstream path joins collapse it server-side. A request like 'GET /bucket-A/../evil-bucket/key' is routed as bucket=bucket-A but resolves to evil-bucket, allowing an actor to read or write objects in buckets they should not reach. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run the SeaweedFS S3 API gateway and/or the Iceberg REST catalog gateway, which in versions before 4.30 are constructed with mux.NewRouter().SkipClean(true) - that non-collapsing router setting IS the enabling condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with subsequent-system impact SC:H/SI:H (base 7.8 / High) describes a network-reachable, low-complexity attack with high integrity and confidentiality consequences for adjacent buckets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An actor with access to the S3 gateway sends 'GET /bucket-A/../evil-bucket/key' (or the Iceberg equivalent with a '..' namespace/table segment); mux's SkipClean(true) preserves the '..', and util.JoinPath/path.Join then collapse it so the read lands in evil-bucket instead of bucket-A. The same trick with a PUT writes attacker-controlled data into another bucket, enabling cross-bucket data theft or tampering. … |
| Remediation | Vendor-released patch: upgrade SeaweedFS to 4.30 or later, which adds router-level path validation that rejects '..', '.', embedded slashes/backslashes, NUL, and malformed unit-separator namespace segments before they reach the filer path joins (per PR https://github.com/seaweedfs/seaweedfs/pull/9687 and advisory https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-w62w-66v9-vvgv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all SeaweedFS deployments and confirm version numbers; audit which versions are 4.29 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-tenant object deletion in SeaweedFS before 4.34 lets an authenticated S3 principal holding write access to just on
Unvalidated JSONP callback reflection in SeaweedFS before 4.30 enables cross-origin reads of cluster topology, volume se
seaweedfs v3.68 was discovered to contain a SQL injection vulnerability via the component /abstract_sql/abstract_sql_sto
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39535