CVE-2022-25377
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to read arbitrary local files on Appwrite servers via directory traversal in the ACME-challenge endpoint. It affects Appwrite installations from version 0.5.0 through 0.12.1 that have the Let's Encrypt certificate feature enabled or have the specific directory path created.
💻 Affected Systems
- Appwrite
📦 What is this software?
Appwrite by Appwrite
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files including configuration files, environment variables, secrets, and database credentials, potentially leading to complete system compromise.
Likely Case
Attackers read configuration files containing secrets, API keys, or database credentials, enabling further attacks against the application or connected systems.
If Mitigated
If the vulnerable endpoint is disabled or patched, attackers cannot access arbitrary files, limiting impact to normal application functionality.
🎯 Exploit Status
Exploitation requires simple HTTP requests with directory traversal sequences. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.12.2
Vendor Advisory: https://github.com/appwrite/appwrite/releases/tag/0.12.2
Restart Required: Yes
Instructions:
1. Backup your Appwrite data and configuration. 2. Update Appwrite to version 0.12.2 or later using your deployment method (Docker, manual, etc.). 3. Restart the Appwrite services. 4. Verify the fix by checking the version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Disable ACME-challenge endpoint
linuxRemove or restrict access to the vulnerable endpoint if Let's Encrypt certificates are not needed.
# Remove the vulnerable directory
rm -rf /path/to/APP_STORAGE_CERTIFICATES/.well-known/acme-challenge
# Or configure web server to block access to this path
Web server access restrictions
allConfigure your reverse proxy or web server to block access to the vulnerable path.
# Example nginx configuration
location ~ ^/\.well-known/acme-challenge/ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Restrict network access to Appwrite servers to trusted IPs only using firewall rules.
- Implement web application firewall (WAF) rules to block directory traversal patterns in requests.
🔍 How to Verify
Check if Vulnerable:
Check if Appwrite version is between 0.5.0 and 0.12.1 AND if the directory APP_STORAGE_CERTIFICATES/.well-known/acme-challenge exists on the server.Check Version:
docker exec appwrite appwrite --version || check appwrite configuration files for versionVerify Fix Applied:
Verify Appwrite version is 0.12.2 or later and test that directory traversal attempts to the ACME-challenge endpoint return appropriate errors instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns to /.well-known/acme-challenge/ endpoint
- Unusual file access patterns from external IPs
Network Indicators:
- HTTP requests with directory traversal sequences (../) in URL parameters or paths
SIEM Query:
source="web_access_logs" AND (url_path="/.well-known/acme-challenge/" AND (url_contains="../" OR url_contains="..%2f"))🔗 References
- https://dubell.io/unauthenticated-lfi-in-appwrite-0.5.0-0.12.1/
- https://github.com/appwrite/appwrite/blob/0.12.0/app/controllers/general.php#L539
- https://github.com/appwrite/appwrite/pull/2780
- https://github.com/appwrite/appwrite/releases/tag/0.12.2
- https://dubell.io/unauthenticated-lfi-in-appwrite-0.5.0-0.12.1/
- https://github.com/appwrite/appwrite/blob/0.12.0/app/controllers/general.php#L539
- https://github.com/appwrite/appwrite/pull/2780
- https://github.com/appwrite/appwrite/releases/tag/0.12.2
