N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-rj4j-2jph-gg43

EPSS Score

CWE

CWE-22

Published

11/24/2025

Updated

11/24/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-rj4j-2jph-gg43

GHSA-rj4j-2jph-gg43: LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction

Summary

Multiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR lf-edge/ekuiper#3911. The issues allow attacker-controlled input (rule names, schema versions, plugin names, uploaded file names, and ZIP entries) to influence file system paths used by the application. In vulnerable deployments, this can permit files to be created, overwritten, or extracted outside the intended directories, potentially enabling disclosure of sensitive files, tampering with configuration or plugin binaries, denial of service, or other host compromise scenarios.

Several components used unvalidated user input when constructing filesystem paths or when extracting archives. In each case, input was accepted and used directly in path operations (join, create, delete, extract) without sufficient sanitization or canonicalization, allowing the input to include path separators, .. segments, or absolute paths.

Impact

Arbitrary file overwrite / deletion: attackers could overwrite or delete files outside the intended directory, which can corrupt application data, remove logs, or disable services.

Resources

https://github.com/lf-edge/ekuiper/commit/58362b089c76f08c400fe0dbb3667e6e871eaffd
https://github.com/lf-edge/ekuiper/pull/3911

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-rj4j-2jph-gg43

GHSA-rj4j-2jph-gg43:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-rj4j-2jph-gg43

EPSS Score

CWE

CWE-22

Published

11/24/2025

Updated

11/24/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/lf-edge/ekuiper/v2	go	< 2.3.0	2.3.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-rj4j-2jph-gg43, is a series of path traversal flaws within the LF Edge eKuiper application. The root cause is the improper handling of user-provided input across multiple components when constructing file system paths. Attacker-controlled data, including rule names, schema versions, plugin names, uploaded file names, and ZIP archive entries, were used directly in file operations without sufficient sanitization.

The analysis of the patch commit 58362b089c76f08c400fe0dbb3667e6e871eaffd reveals several functions that were modified to add input validation. These modifications highlight the exact locations of the vulnerabilities. For instance, the filex.UnzipTo function was patched to validate filenames from zip entries, native.Manager.getSoFilePath was changed to sanitize plugin names, and server.deleteRuleData now checks rule names before deletion. In each case, the lack of prior validation allowed for arbitrary file read, write, or deletion by crafting inputs with path traversal sequences like ../.

Vulnerable functions

filex.UnzipTo

internal/pkg/filex/zip.go

The function `UnzipTo` extracts a file from a zip archive. The `name` of the file, which is taken from the zip entry, was used to construct the destination path without validation. This allows an attacker to craft a zip file with entries like `../../../../etc/passwd` to write files outside the intended extraction directory. The patch adds a call to `path.VerifyFileName` to sanitize the entry name.

native.Manager.getSoFilePath

internal/plugin/native/manager.go

The function `getSoFilePath` constructs the file path for a native plugin's shared object (`.so`) file based on the provided `name`. This name was not sanitized, allowing path traversal characters (`..`, `/`, `\`). An attacker could use a malicious plugin name to make the application load a shared object from an arbitrary path, leading to code execution.

schema.CreateOrUpdateSchema

internal/schema/registry.go

The function `CreateOrUpdateSchema` handles schema creation and updates. While the schema `name` was validated, the `version` was not. Both are used to construct file paths for storing schema information. An attacker could provide a schema with a malicious `version` string containing path traversal characters to write or overwrite files in unintended locations.

server.fileContent.Validate

internal/server/rest.go

The `Validate` method is called on `fileContent` objects, which likely represent uploaded files via a REST endpoint. Before the patch, the `Name` field of the file was not checked for path traversal characters. This would allow an attacker to upload a file with a name like `../../../../tmp/pwned` to write it to an arbitrary location on the server's filesystem. The patch adds a call to `path.VerifyFileName` to prevent this.

server.deleteRuleData

internal/server/rule_manager.go

The function `deleteRuleData` is responsible for deleting data associated with a rule. The rule `name` is used to determine the path of the data to be deleted. Without validation, an attacker could provide a malicious rule name containing path traversal characters, causing the deletion of arbitrary files or directories on the system.

service.Manager.initFile

internal/service/manager.go

The function `initFile` reads a service configuration file based on the `baseName` parameter. This parameter was not sanitized, allowing an attacker to specify a path that traverses the directory structure (e.g., `../../../../etc/hosts`). This could lead to the disclosure of sensitive files, as the application would read the file from the specified arbitrary path.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-rj4j-2jph-gg43: LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction

Summary

Impact

Resources

GHSA-rj4j-2jph-gg43:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

GHSA-rj4j-2jph-gg43: LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction

Summary

Impact

Resources

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI