9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29180

GHSA ID

GHSA-4wpp-w5r4-7v5v

EPSS Score

0.46769%

CWE

CWE-918

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29180

CVE-2022-29180: Server-Side Request Forgery in charm

We've discovered a vulnerability in which attackers could forge HTTP requests to manipulate the charm data directory to access or delete anything on the server. This has been patched in https://github.com/charmbracelet/charm/commit/3c90668f955c7ce5ef721e4fc9faee7053232fd3 and is available in release v0.12.1. We recommend that all users running self-hosted charm instances update immediately.

This vulnerability was found in-house and we haven't been notified of any potential exploiters.

Additional notes

Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data.
Users running the official Charm Docker images are at minimal risk because the exploit is limited to the containerized filesystem.

For more information

If you have any questions or comments about this advisory:

Open a discussion
Email us at vt100@charm.sh
Chat with us on Slack

Charm热爱开源 • Charm loves open source

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29180

GHSA ID

GHSA-4wpp-w5r4-7v5v

EPSS Score

0.46769%

CWE

CWE-918

Published

5/24/2022

Updated

1/27/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/charmbracelet/charm	go	>= 0.9.0, < 0.12.1	0.12.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from unsanitized path parameters in file operations. The commit 3c90668 adds path sanitization using filepath.Clean to these three handler functions. Before the patch, they directly used pattern.Path() from request context without validation, allowing path traversal attacks via specially crafted paths. These functions directly interact with the filesystem using user-controlled input, making them the clear attack surface for SSRF and file system manipulation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W*'v* *is*ov*r** * vuln*r**ility in w*i** *tt**k*rs *oul* *or** *TTP r*qu*sts to m*nipul*t* t** `***rm` **t* *ir**tory to ****ss or **l*t* *nyt*in* on t** s*rv*r. T*is **s ***n p*t**** in *ttps://*it*u*.*om/***rm*r***l*t/***rm/*ommit/****************

Reasoning

T** vuln*r**ility st*mm** *rom uns*nitiz** p*t* p*r*m*t*rs in *il* op*r*tions. T** *ommit ******* ***s p*t* s*nitiz*tion usin* `*il*p*t*.*l**n` to t**s* t*r** **n*l*r `*un*tions`. ***or* t** p*t**, t**y *ir**tly us** `p*tt*rn.P*t*()` *rom r*qu*st *on

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-29180: Server-Side Request Forgery in charm

Additional notes

For more information

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI