x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper/v2: GHSA-rj4j-2jph-gg43 #4158
Description
Advisory GHSA-rj4j-2jph-gg43 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/lf-edge/ekuiper |
| github.com/lf-edge/ekuiper/v2 |
Description:
Summary
Multiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR lf-edge/ekuiper#3911. The issues allow attacker-controlled input (rule names, schema versions, plugin names, uploaded file names, and ZIP entries) to influence file system paths used by the application. In vulnerable deployments, this can permit files to be created, overwritten, or extracted outside the intended directories, potentially enabling disclosure of sensitive files, tampering with configuration or ...
References:
- ADVISORY: GHSA-rj4j-2jph-gg43
- ADVISORY: GHSA-rj4j-2jph-gg43
- FIX: lf-edge/ekuiper@58362b0
- FIX: fix(core): Enforce safe path validation user Input lf-edge/ekuiper#3911
Cross references:
- github.com/lf-edge/ekuiper appears in 6 other report(s):
- data/reports/GO-2024-3078.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: CVE-2024-43406 #3078)
- data/reports/GO-2025-3508.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: CVE-2024-52812 #3508)
- data/reports/GO-2025-3682.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: CVE-2024-52290 #3682)
- data/reports/GO-2025-3799.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: GHSA-fv2p-qj5p-wqq4 #3799)
- data/reports/GO-2025-3800.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: GHSA-gj54-gwj9-x2c6 #3800)
- data/reports/GO-2025-3827.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper/v2: GHSA-526j-mv3p-f4vv #3827)
- github.com/lf-edge/ekuiper/v2 appears in 5 other report(s):
- data/reports/GO-2025-3508.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: CVE-2024-52812 #3508)
- data/reports/GO-2025-3682.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: CVE-2024-52290 #3682)
- data/reports/GO-2025-3799.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: GHSA-fv2p-qj5p-wqq4 #3799)
- data/reports/GO-2025-3800.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper: GHSA-gj54-gwj9-x2c6 #3800)
- data/reports/GO-2025-3827.yaml (x/vulndb: potential Go vuln in github.com/lf-edge/ekuiper/v2: GHSA-526j-mv3p-f4vv #3827)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/lf-edge/ekuiper
vulnerable_at: 1.14.7
- module: github.com/lf-edge/ekuiper/v2
versions:
- fixed: 2.3.0
vulnerable_at: 2.3.0-beta.7
summary: |-
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names
and zip extraction in github.com/lf-edge/ekuiper
ghsas:
- GHSA-rj4j-2jph-gg43
references:
- advisory: https://github.com/advisories/GHSA-rj4j-2jph-gg43
- advisory: https://github.com/lf-edge/ekuiper/security/advisories/GHSA-rj4j-2jph-gg43
- fix: https://github.com/lf-edge/ekuiper/commit/58362b089c76f08c400fe0dbb3667e6e871eaffd
- fix: https://github.com/lf-edge/ekuiper/pull/3911
source:
id: GHSA-rj4j-2jph-gg43
created: 2025-11-25T00:01:29.732337926Z
review_status: UNREVIEWED