CVE-2025-6853
BaseFortify
Publication date: 2025-06-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chatchat-space | langchain-chatchat | to 0.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6853 is a critical path traversal vulnerability in the Langchain-Chatchat backend, specifically in the /knowledge_base/upload_temp_docs endpoint. The vulnerability arises because the application does not properly validate or sanitize the filename provided by the user when uploading files. This allows an attacker to manipulate the filename with path traversal sequences (e.g., ../../../) to write files outside the intended directory on the server. As a result, an attacker can write arbitrary files anywhere on the server filesystem remotely. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including arbitrary file write on the server, which can be exploited to upload malicious scripts or overwrite critical system or application files. This can lead to remote code execution (RCE), allowing attackers to execute arbitrary code and gain control over the server. Additionally, overwriting essential files can disrupt system or application functionality, potentially causing crashes or denial of service. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for suspicious POST requests to the `/knowledge_base/upload_temp_docs` endpoint containing filenames with path traversal sequences such as `../../../`. A practical detection method is to capture and inspect HTTP requests for file uploads with filenames including directory traversal patterns. For example, using a tool like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, or using command-line tools like curl to test the endpoint with crafted filenames. A sample curl command to test the vulnerability could be: curl -X POST -F "[email protected];filename=../../../test.txt" http://<target-server>/knowledge_base/upload_temp_docs If the server accepts this request and writes the file outside the intended directory, the vulnerability is present. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the `/knowledge_base/upload_temp_docs` endpoint to authenticated and authorized users only, to reduce exposure. Implement strict validation and sanitization of the `flag` argument and any file path inputs to prevent directory traversal sequences. Enforce file path filtering to ensure uploaded files are saved only within designated directories, rejecting any paths that attempt to escape these directories. If possible, replace or upgrade the affected Langchain-Chatchat software to a version that addresses this vulnerability or consider alternative products. Monitoring and blocking suspicious requests with path traversal patterns can also help mitigate exploitation. [2, 3]