DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9CP7-J3F8-P5JX: GHSA-9CP7-J3F8-P5JX: Unauthenticated Path Traversal and Zip Slip in Daptin

#security #cve #cybersecurity #ghsa

GHSA-9CP7-J3F8-P5JX: Unauthenticated Path Traversal and Zip Slip in Daptin

Vulnerability ID: GHSA-9CP7-J3F8-P5JX
CVSS Score: 9.8
Published: 2026-04-10

Daptin, a Backend-as-a-Service and headless CMS, contains a critical vulnerability where multiple file processing endpoints fail to sanitize user-supplied input. This flaw permits unauthenticated attackers to write arbitrary files outside intended directories, introducing severe risks including Remote Code Execution (RCE).

TL;DR

Daptin improperly sanitizes file names in archive extraction and file upload routines. This allows unauthenticated attackers to exploit Path Traversal and Zip Slip vulnerabilities to write arbitrary files to the host filesystem, potentially achieving full system compromise.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22, CWE-29
  • Attack Vector: Network
  • Authentication: None Required
  • Impact: Arbitrary File Write / RCE
  • Exploit Status: Proof of Concept available based on advisory data
  • CVSS Score: 9.8 Critical

Affected Systems

  • Daptin Backend-as-a-Service
  • Daptin Headless CMS
  • Integrated Daptin FTP Server Module
  • Daptin: < 8d626bbb14f82160a08cbca53e0749f475f5742c (Fixed in: 8d626bbb14f82160a08cbca53e0749f475f5742c)

Code Analysis

Commit: 8d626bb

Fix for Path Traversal and Zip Slip vulnerabilities by sanitizing filenames using filepath.Clean and removing traversal prefixes.

Added filepath.Clean(file.Name) and loop to strip '../' prefixes in unzip routine; used filepath.Base() in CSV/XLS routines.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade to the latest version of Daptin containing commit 8d626bbb14f82160a08cbca53e0749f475f5742c.
  • Implement Web Application Firewall (WAF) rules targeting path traversal sequences in query parameters and JSON payloads.
  • Run the Daptin application process with an unprivileged service account restricted to its specific working directories.
  • Block unauthorized file extensions in upload handlers where possible.

Remediation Steps:

  1. Identify the current running version or commit of Daptin.
  2. Pull the latest codebase from the official repository integrating commit 8d626bbb14f82160a08cbca53e0749f475f5742c.
  3. Recompile the application and redeploy the binaries.
  4. Audit the filesystem for unexpectedly modified files, particularly SSH keys and configuration files.
  5. Apply least privilege permissions to the service user.

References

Read the full report for GHSA-9CP7-J3F8-P5JX on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)