CVE-2025-50735
📋 TL;DR
A directory traversal vulnerability in NextChat's WebDAV proxy allows attackers to access sensitive files outside the intended directory by exploiting improper path validation. This affects all NextChat deployments up to version 2.16.0, potentially exposing configuration files, credentials, or other sensitive data.
💻 Affected Systems
- NextChat
📦 What is this software?
Nextchat by Nextchat
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through exposure of configuration files containing database credentials, API keys, or other secrets, leading to data breach or further attacks.
Likely Case
Unauthorized access to sensitive files like configuration files, logs, or source code, potentially exposing credentials or system information.
If Mitigated
Limited impact with proper network segmentation and access controls, though file exposure risk remains.
🎯 Exploit Status
Exploitation requires sending specially crafted WebDAV requests with directory traversal sequences (e.g., '../'). Public proof-of-concept available in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.16.1 or later
Vendor Advisory: https://github.com/ChatGPTNextWeb/NextChat/security/advisories
Restart Required: Yes
Instructions:
1. Update NextChat to version 2.16.1 or later. 2. Restart the NextChat service. 3. Verify the fix by testing WebDAV endpoints.
🔧 Temporary Workarounds
Disable WebDAV
allDisable WebDAV functionality entirely if not required.
Modify NextChat configuration to disable WebDAV endpoints.
Network Access Control
linuxRestrict access to WebDAV endpoints using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport [webdav-port] -j DROP
Use cloud security groups to block external access.
🧯 If You Can't Patch
- Implement strict network access controls to limit WebDAV endpoint exposure to trusted IPs only.
- Deploy a web application firewall (WAF) with rules to block directory traversal patterns.
🔍 How to Verify
Check if Vulnerable:
Test WebDAV endpoints with traversal payloads (e.g., GET /webdav/../../etc/passwd) and check for unauthorized file access.Check Version:
Check NextChat version in admin panel or via package.json: cat package.json | grep versionVerify Fix Applied:
After patching, retest with traversal payloads; requests should return 403/404 errors instead of file contents.📡 Detection & Monitoring
Log Indicators:
- WebDAV requests containing '../' or similar traversal patterns
- Unusual file access patterns from WebDAV endpoints
Network Indicators:
- HTTP requests to WebDAV paths with traversal sequences
- Increased traffic to sensitive file paths
SIEM Query:
source="webdav.log" AND (uri="*../*" OR uri="*..\\*" OR status=200 AND uri="*/etc/*")