CVE-2026-24741
📋 TL;DR
ConvertX versions before 0.17.0 have a path traversal vulnerability in the /delete endpoint that allows attackers to delete arbitrary files on the server. This affects all self-hosted instances running vulnerable versions. Attackers can exploit this without authentication by sending specially crafted filename parameters.
💻 Affected Systems
- ConvertX
📦 What is this software?
Convertx by C4illin
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise if critical system files are deleted, causing service disruption, data loss, or privilege escalation depending on server permissions.
Likely Case
Deletion of application files, configuration files, or user uploads leading to service disruption and data loss.
If Mitigated
Limited to deletion of files within the uploads directory only, with minimal impact on application functionality.
🎯 Exploit Status
Exploitation requires only HTTP POST requests with path traversal sequences. The advisory includes technical details that facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.17.0
Vendor Advisory: https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp
Restart Required: Yes
Instructions:
1. Stop the ConvertX service. 2. Backup your configuration and data. 3. Update to version 0.17.0 using your package manager or by downloading from GitHub. 4. Restart the service.
🔧 Temporary Workarounds
Web Server Path Restriction
allConfigure web server to restrict access to the /delete endpoint or block path traversal patterns
# Example nginx location block
location ~ ^/delete$ {
deny all;
}
# Example Apache .htaccess
RewriteRule ^delete$ - [F]
File Permission Restriction
linuxRun ConvertX with minimal file system permissions to limit damage scope
# Create dedicated user
sudo useradd -r -s /bin/false convertx
# Change ownership
sudo chown -R convertx:convertx /path/to/convertx
🧯 If You Can't Patch
- Implement network-level controls to restrict access to the ConvertX instance
- Monitor file deletion logs and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check if version is below 0.17.0 and test with a controlled path traversal payload to a test fileCheck Version:
Check package.json or application logs for version informationVerify Fix Applied:
After updating to 0.17.0, attempt path traversal attack and verify it fails📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /delete endpoint with ../ sequences
- Unexpected file deletion events in system logs
Network Indicators:
- POST requests to /delete with unusual filename parameters
- Multiple rapid deletion requests
SIEM Query:
source="web_logs" AND uri_path="/delete" AND (request_body CONTAINS "../" OR request_body CONTAINS "..\")