Description
GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw in the /api/v1/file/content endpoint where the filename parameter is concatenated to the config path without sanitization. An attacker who can authenticate to the service can craft filenames with ../ to read or create files outside the intended config directory, potentially accessing TLS private keys, OAuth tokens, or any file readable by the container. This can lead to disclosure of sensitive data, credential compromise, and full system takeover. The weakness corresponds to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Affected Systems

Affected product is GoDoxy, a reverse proxy and container orchestrator developed by yusing. Versions earlier than 0.27.5 are vulnerable. The vulnerability affects any installation exposing the API endpoint, regardless of deployment environment, as the flaw exists in the core file handling logic. Users running environments with the ConfigBasePath set to the relative "config" directory are included.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity. EPSS is below 1%, suggesting a low exploitation probability. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires valid authentication to the service, but once authenticated, the attacker can bypass confinement and access or modify arbitrary files within the container. Because the payload does not require privilege escalation prior to authentication, the risk to the entire host depends on the container's UID and privileges. The vulnerability is likely to be exploited through the exposed API endpoint over the network.

Generated by OpenCVE AI on April 2, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GoDoxy to version 0.27.5 or later to eliminate the path traversal vulnerability.

Generated by OpenCVE AI on April 2, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4753-cmc8-8j9v GoDoxy has a Path Traversal Vulnerability in its File API
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Godoxy
Godoxy godoxy
CPEs cpe:2.3:a:godoxy:godoxy:*:*:*:*:*:go:*:*
Vendors & Products Godoxy
Godoxy godoxy

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Yusing
Yusing godoxy
Vendors & Products Yusing
Yusing godoxy

Thu, 26 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.
Title GoDoxy has a Path Traversal Vulnerability in its File API
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Godoxy Godoxy
Yusing Godoxy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:57:45.401Z

Reserved: 2026-03-20T18:05:11.830Z

Link: CVE-2026-33528

cve-icon Vulnrichment

Updated: 2026-03-27T13:45:48.406Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:14.913

Modified: 2026-04-02T18:17:26.267

Link: CVE-2026-33528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:53Z

Weaknesses