Runtipi
Monthly
Arbitrary file read in Runtipi 4.9.1-4.9.3 exposes sensitive container secrets via symlink following in an unauthenticated app-store logo endpoint. An attacker who controls a Git-based app-store repository can embed a symbolic link as a marketplace logo file; because the path guard performs only lexical validation before Node.js reads the file, Runtipi resolves and returns the symlink target, potentially leaking /data/.env, JWT secrets, service credentials, and seed values to any unauthenticated requester. No public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV; a vendor-confirmed fix is available in v4.10.0.
Critical authentication bypass vulnerability in Runtipi (versions prior to 4.8.1), a personal homeserver orchestrator, where attackers with stolen credentials can brute-force TOTP codes due to missing rate limiting. The vulnerability allows complete bypass of two-factor authentication in approximately 33 minutes, effectively compromising account security. While not currently in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 8.1 rating and a patch is available in version 4.8.1.
Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. Public exploit code exists and no patch is currently available.
Runtipi versions 3.7.0 through 4.6.x suffer from arbitrary command execution when authenticated users upload backups with malicious filenames containing shell metacharacters, which the BackupManager fails to sanitize before executing restore operations. An attacker with valid credentials can craft a backup filename like $(id).tar.gz to achieve remote code execution on the host server with the privileges of the Runtipi process. Public exploit code exists for this vulnerability, and patches are available in version 4.7.0 and later.
Arbitrary file read in Runtipi 4.9.1-4.9.3 exposes sensitive container secrets via symlink following in an unauthenticated app-store logo endpoint. An attacker who controls a Git-based app-store repository can embed a symbolic link as a marketplace logo file; because the path guard performs only lexical validation before Node.js reads the file, Runtipi resolves and returns the symlink target, potentially leaking /data/.env, JWT secrets, service credentials, and seed values to any unauthenticated requester. No public exploit code has been identified at time of analysis and the issue is not listed in CISA KEV; a vendor-confirmed fix is available in v4.10.0.
Critical authentication bypass vulnerability in Runtipi (versions prior to 4.8.1), a personal homeserver orchestrator, where attackers with stolen credentials can brute-force TOTP codes due to missing rate limiting. The vulnerability allows complete bypass of two-factor authentication in approximately 33 minutes, effectively compromising account security. While not currently in CISA KEV or showing high EPSS scores, the vulnerability has a CVSS 8.1 rating and a patch is available in version 4.8.1.
Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. Public exploit code exists and no patch is currently available.
Runtipi versions 3.7.0 through 4.6.x suffer from arbitrary command execution when authenticated users upload backups with malicious filenames containing shell metacharacters, which the BackupManager fails to sanitize before executing restore operations. An attacker with valid credentials can craft a backup filename like $(id).tar.gz to achieve remote code execution on the host server with the privileges of the Runtipi process. Public exploit code exists for this vulnerability, and patches are available in version 4.7.0 and later.