N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-53363

GHSA ID

GHSA-gcqf-pxgg-gw8q

EPSS Score

CWE

CWE-22

Published

8/22/2025

Updated

8/22/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53363

CVE-2025-53363: Dpanel has an arbitrary file read vulnerability

Summary

Dpanel has an arbitrary file read vulnerability in the /api/app/compose/get-from-uri interface.Logged in to Dpanel ,this interface can be used to read arbitrary files.

Details

When a user logs into the administrative backend, this interface can read any files on the host/sever (given the necessary permissions), which may lead to system information leakage. The vulnerability lies in the GetFromUri function within the app/application/http/controller/compose.go file. The uri parameter submitted by the user in JSON format can be directly read and returned by os.ReadFile without proper security handling.

PoC

POST /api/app/compose/get-from-uri HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJ......lWg==
Connection: close
Content-Type: application/json
Content-Length: 21

{"uri":"/etc/passwd"}

Impact

This vulnerability could lead to the leakage of sensitive server file information. In versions from 1.2.0 up to the latest (1.7.2), logged-in users can make requests to this interface.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-53363

CVE-2025-53363:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-53363

GHSA ID

GHSA-gcqf-pxgg-gw8q

EPSS Score

CWE

CWE-22

Published

8/22/2025

Updated

8/22/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/donknap/dpanel	go	>= 1.2.0, <= 1.7.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis is based on the detailed vulnerability description provided in the GHSA advisory GHSA-gcqf-pxgg-gw8q. The advisory clearly identifies the GetFromUri function located in the app/application/http/controller/compose.go file as the source of the arbitrary file read vulnerability. The description specifies that the 'uri' parameter from the user's request is passed directly to os.ReadFile, which is a classic path traversal vulnerability pattern.

The provided Proof of Concept (PoC) confirms this, showing a POST request to the /api/app/compose/get-from-uri endpoint with a payload of {"uri":"/etc/passwd"} to read a sensitive system file.

While the exact patch commit was not available, the file content retrieved for compose.go shows the GetFromUri function now uses http.Get() instead of os.ReadFile(). This change strongly indicates that the developers attempted to patch the local file read vulnerability by changing the functionality to fetch a remote URL. This modification, while potentially introducing a different vulnerability (SSRF), serves as strong evidence for the location and nature of the original arbitrary file read vulnerability. Therefore, the controller.Compose.GetFromUri function is identified as the vulnerable function that would appear in a runtime profile during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-53363: Dpanel has an arbitrary file read vulnerability

Summary

Details

PoC

Impact

CVE-2025-53363:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2025-53363: Dpanel has an arbitrary file read vulnerability

Summary

Details

PoC

Impact

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI