Executive Summary

The vulnerability is a path traversal flaw in xiaomusic version 0.5.7, specifically in the GET /music/{file_path:path} endpoint. It allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check.

The issue arises because the application checks if the requested file path starts with the configured music directory path using a startswith() function, but it does not include a trailing path separator in this check. This allows attackers to craft traversal sequences that bypass the restriction by targeting sibling directories whose names share the music_path prefix.

For example, a path like /music/../music_secret/file.txt can bypass validation because "music_secret" starts with "music", tricking the check into allowing access to files outside the intended directory.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant impact because it allows unauthenticated remote attackers to read arbitrary files on the server outside the intended music directory.

• Attackers can access sensitive files such as voice memos, backups, or critical system files like /etc/passwd.
• Since no authentication is required, any remote attacker can exploit this flaw to gain unauthorized access to potentially sensitive or confidential information.

The CVSS v4.0 base score of 8.7 indicates a high severity risk, highlighting the potential for serious confidentiality breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access files outside the intended music directory via the GET /music/{file_path:path} endpoint using crafted path traversal sequences. For example, requesting paths that include traversal patterns like ../music_secret/file.txt can reveal if the server improperly validates the path prefix.

You can use tools like curl or wget to test for this vulnerability by sending HTTP GET requests with crafted paths to the vulnerable endpoint.

• curl -v "http://<target-host>/music/../music_secret/private.txt"
• curl -v "http://<target-host>/music/../../etc/passwd"

If the server responds with the contents of files outside the intended directory, it indicates the presence of the path traversal vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the official patch that fixes the path traversal vulnerability by adding a trailing path separator to the path containment checks in the affected functions.

Specifically, update the xiaomusic application to a version that includes the fix from commit 88404da, which ensures that the startswith() checks for the music directory path append the operating system's path separator (os.sep). This prevents attackers from bypassing the directory restriction.

If updating is not immediately possible, consider restricting access to the GET /music/{file_path:path} endpoint via network controls or disabling unauthenticated access (e.g., setting XIAOMUSIC_DISABLE_HTTPAUTH=false) to reduce exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to read arbitrary files outside the intended music directory, including potentially sensitive files such as voice memos, backups, or system files like /etc/passwd. This unauthorized access to sensitive or personal data could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal and sensitive information.

Because the flaw enables remote attackers to bypass access controls and retrieve files without authentication, it undermines confidentiality and data security requirements mandated by these standards.

Useful 0 Not Useful 0