DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-66292: DPanel's Delete Function Works Too Well: A Tale of Path Traversal

#security #cve #cybersecurity

DPanel's Delete Function Works Too Well: A Tale of Path Traversal

Vulnerability ID: CVE-2025-66292
CVSS Score: 8.1
Published: 2026-01-15

An arbitrary file deletion vulnerability in DPanel allows authenticated users to nuke system files via directory traversal sequences.

TL;DR

DPanel v1.9.1 and older contains a critical flaw in its attachment deletion logic. The application blindly trusts user-supplied paths, allowing an authenticated attacker to break out of the intended storage directory and delete any file the process has access to. A fix was released in v1.9.2 using Go's filepath.IsLocal check.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • Attack Vector: Network
  • CVSS v3.1: 8.1 (High)
  • Privileges Required: Low (Authenticated)
  • Impact: High Integrity, High Availability
  • Exploit Status: POC Available

Affected Systems

  • DPanel Server Management Panel
  • DPanel: < 1.9.2 (Fixed in: 1.9.2)

Code Analysis

Commit: cbda0d9

Fixed arbitrary file deletion vulnerability by implementing filepath.IsLocal check

@@ -51,11 +50,21 @@ func (self Attach) Delete(http *gin.Context) {
    if !self.Validate(http, &params) {
        return
    }
+   if !filepath.IsLocal(params.Path) {
+       self.JsonResponseWithError(http, function.ErrorMessage(define.ErrorMessageCommonDataNotFoundOrDeleted), 500)
+       return
+   }
+   params.Path = filepath.Clean(params.Path)
    path := storage.Local{}.GetSaveRealPath(params.Path)
-   fmt.Printf("%v \n", path)
    _, err := os.Stat(path)
-   if err == nil {
-       os.Remove(path)
+   if err != nil {
+       self.JsonResponseWithError(http, err, 500)
+       return
+   }
+   err = os.Remove(path)
+   if err != nil {
+       self.JsonResponseWithError(http, err, 500)
+       return
    }
    self.JsonSuccessResponse(http)
    return
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical PoC: POST /api/common/attach/delete with payload {"path": "../../../target"}

Mitigation Strategies

  • Upgrade DPanel to v1.9.2 or later immediately.
  • Run the DPanel service as a non-root user with restricted filesystem permissions.
  • Implement WAF rules to block requests containing directory traversal sequences (../) in JSON payloads.

Remediation Steps:

  1. Stop the DPanel service.
  2. Download the latest release binary from GitHub.
  3. Replace the old binary with the v1.9.2 version.
  4. Restart the service.
  5. Audit logs for any 'os.Remove' errors that occurred prior to patching.

References

Read the full report for CVE-2025-66292 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)