CVE-2026-25161
Path Traversal in Alist Allows Unauthorized File Operations
Publication date: 2026-02-04
Last updated on: 2026-02-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alistgo | alist | to 3.57.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25161 is a path traversal vulnerability in the Alist file list program prior to version 3.57.0. It affects multiple file operation handlers where filename components provided by authenticated users are concatenated with directory paths without proper sanitization. This allows an attacker to inject traversal sequences like "../" to escape directory restrictions.'}, {'type': 'paragraph', 'content': 'As a result, an authenticated attacker with basic file operation permissions can bypass directory-level authorization controls within the same storage mount. They can perform unauthorized file removal, movement, copying, or renaming across user boundaries by manipulating file paths.'}, {'type': 'paragraph', 'content': 'The vulnerability was patched by introducing secure path joining, path validation, file type checks, and improved error handling to prevent directory traversal and Zip Slip attacks during file operations and archive extraction.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to files belonging to other users within the same storage mount.
- An attacker can delete, rename, move, or copy files outside their authorized directories.
- It can lead to data destruction, unauthorized data access, and integrity violations.
- The attacker only needs to be authenticated with basic file operation permissions; no additional user interaction is required.
Overall, this can compromise confidentiality, integrity, and availability of data within shared storage environments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious file operation requests that include directory traversal sequences such as "../" in filenames or paths. Specifically, look for authenticated user requests attempting to remove, rename, copy, or move files with path traversal patterns that escape their authorized directories.'}, {'type': 'paragraph', 'content': 'For example, you can inspect logs or capture HTTP POST requests to endpoints like /api/fs/remove, /api/fs/copy, or /api/fs/rename for filenames containing "../" sequences.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such attempts include:'}, {'type': 'list_item', 'content': "Using grep on server logs to find traversal sequences in file operation requests: grep -r '\\.\\./' /path/to/alist/logs/"}, {'type': 'list_item', 'content': 'Using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests containing "../": tcpdump -A -s 0 \'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)\' | grep \'../\''}, {'type': 'list_item', 'content': 'Review application logs for suspicious file operation parameters that include directory traversal patterns.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation is to upgrade the Alist application to version 3.57.0 or later, where this path traversal vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting authenticated user permissions to prevent file operations that could exploit this vulnerability, especially in multi-user shared storage environments.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and block requests containing directory traversal sequences ("../") in file operation parameters to reduce risk.'}, {'type': 'paragraph', 'content': 'The patch includes secure path joining, path validation, and strict file type checks to prevent directory traversal during file operations and archive extraction.'}] [1, 2]