GHSA-fv2p-qj5p-wqq4
HIGHLF Edge eKuiper vulnerable to File Path Traversal leading to file replacement
Blast Radius
github.com/lf-edge/ekuiper/v2🐹github.com/lf-edge/ekuiperReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.
Details
The file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and replace the files owned by kuiper user on the filesystem. The vulnerable function is fileUploadHandler which is shown below:
Exploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by kuiper user:
PoC
- The files should be uploaded to
/kuiper/data/uploadsdirectory. So let's move to the/kuiper/data, examine the existing files and create an emptytraversal-pocfile owned by kuiper:
- Now, we can go to Services > Configuration > File Management and try to upload file with name
../test:
In the response we can see the path of the uploaded file and can assume that the traversal worked.
- Now we can try to change the
traversal-pocfile that we know exists on the server. It can be made with the following request:
- Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:
Impact
- Possibility to upload files to external directories;
- Possibility to rewrite any file owned by kuiper user on the filesystem.
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/lf-edge/ekuiper/v2 | all versions | 2.2.0 |
| 🐹Go | github.com/lf-edge/ekuiper | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/lf-edge/ekuiper/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/lf-edge/ekuiper/v2 to 2.2.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fv2p-qj5p-wqq4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-fv2p-qj5p-wqq4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-fv2p-qj5p-wqq4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-fv2p-qj5p-wqq4 in your dependencies?
O3 detects GHSA-fv2p-qj5p-wqq4 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.