CVE-2025-51661
📋 TL;DR
A path traversal vulnerability in FileCodeBox v2.2 and earlier allows unauthenticated remote attackers to write arbitrary files anywhere on the server filesystem when the application uses local storage. This occurs because user-supplied filenames are used without validation when constructing file paths. Any FileCodeBox instance configured with local filesystem storage is vulnerable.
💻 Affected Systems
- FileCodeBox
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file writes leading to remote code execution, data destruction, or privilege escalation by overwriting critical system files.
Likely Case
Arbitrary file writes leading to web shell deployment, data exfiltration, or denial of service by overwriting application files.
If Mitigated
Limited impact if proper network segmentation, file system permissions, and input validation are in place.
🎯 Exploit Status
Exploitation requires sending crafted POST requests with path traversal sequences (e.g., ../../../) to the /share/file/ endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.3 or later
Vendor Advisory: https://github.com/vastsa/FileCodeBox/issues/349
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop FileCodeBox service. 3. Update to v2.3 or later from GitHub releases. 4. Restart FileCodeBox service. 5. Verify the fix by testing file uploads with traversal attempts.
🔧 Temporary Workarounds
Disable Local Storage
allSwitch from SystemFileStorage to cloud storage backend (S3, Azure, etc.) to eliminate the vulnerability.
Modify storage configuration in config.yaml to use cloud storage provider
Web Application Firewall Rules
allBlock path traversal sequences in POST requests to /share/file/ endpoint.
Add WAF rule to block requests containing '../' or similar traversal patterns
🧯 If You Can't Patch
- Implement strict file system permissions to limit write access to application directory only.
- Deploy network segmentation to isolate FileCodeBox from critical systems and restrict external access.
🔍 How to Verify
Check if Vulnerable:
Test by attempting to upload a file with a filename containing path traversal sequences (e.g., '../../../test.txt') to the /share/file/ endpoint. If successful, the system is vulnerable.Check Version:
Check the version in the web interface or run: grep 'version' config.yamlVerify Fix Applied:
After patching, repeat the vulnerability test. File uploads with traversal sequences should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- POST requests to /share/file/ with filenames containing '../' or similar patterns
- File write operations outside the intended upload directory
Network Indicators:
- HTTP POST requests to /share/file/ with unusual filename parameters
- Traffic spikes to upload endpoint
SIEM Query:
source="web_logs" AND url_path="/share/file/" AND (filename="*../*" OR filename="*..\\*")