GHSA-3558-j79f-vvm6

Suggest an improvement
Source
https://github.com/advisories/GHSA-3558-j79f-vvm6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-3558-j79f-vvm6/GHSA-3558-j79f-vvm6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3558-j79f-vvm6
Aliases
Published
2026-01-13T19:15:13Z
Modified
2026-02-03T03:01:02.653500Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal
Details

Impact

Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory.

Path traversal vulnerabilities occur when a web application accepts user-supplied file paths without proper validation, allowing attackers to access or write files outside the intended directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../).

Notably, while the related makeFileContent function in the same file properly validates the fileName parameter by checking for .. sequences, the MakeFile function lacks this security control, indicating an inconsistent security implementation.

An attacker with file upload privileges (role ID 888 - super administrator) could exploit this vulnerability by:

First uploading file chunks through the /fileUploadAndDownload/breakpointContinue endpoint (which has proper validation)

Then calling the /fileUploadAndDownload/breakpointContinueFinish endpoint with a malicious fileName parameter containing path traversal sequences (e.g., ../../../tmp/malicious.txt)

This could lead to: Arbitrary file creation, application process, Configuration file overwriting, Potential Remote Code Execution......

POC

  1. Use this endpoint to upload any files(include *name or *file types) <img width="1429" height="788" alt="Clipboard_Screenshot_1767755216" src="https://github.com/user-attachments/assets/516022d6-32af-4810-abd9-945cb0bc5ae5" />

  2. Then, the filename parameter here uses ../ to traverse to an arbitrary path. <img width="1445" height="306" alt="Clipboard_Screenshot_1767755256" src="https://github.com/user-attachments/assets/577aa1c1-9b26-4082-b431-f9dac1cdc307" />

  3. Proof <img width="837" height="843" alt="Clipboard_Screenshot_1767755312" src="https://github.com/user-attachments/assets/66f51049-8dc8-4c94-994e-a6d8bc1196a9" />

Patches

Please wait for the latest patch

Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-434"
    ],
    "github_reviewed_at": "2026-01-13T19:15:13Z",
    "nvd_published_at": "2026-01-12T22:16:08Z"
}
References

Affected packages

Go / github.com/flipped-aurora/gin-vue-admin

Package

Name
github.com/flipped-aurora/gin-vue-admin
View open source insights on deps.dev
Purl
pkg:golang/github.com/flipped-aurora/gin-vue-admin

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.8.7

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-3558-j79f-vvm6/GHSA-3558-j79f-vvm6.json"