CVE-2021-43495
Description
AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A directory traversal vulnerability in AlquistManager's IO module allows attackers to read arbitrary files, potentially leading to remote code execution.
Vulnerability
The vulnerability exists in the alquist/IO/input.py file of the AlquistManager repository as of commit 280d99f43b11378212652e75f6f3159cde9c1d36. The Flask route get_bot4 uses send_from_directory with attacker-controlled path and file parameters, allowing directory traversal via ../ sequences [1]. This affects all versions up to that commit.
Exploitation
An attacker can send a crafted HTTP GET request to the vulnerable endpoint, manipulating the path and file parameters to traverse directories. For example, using curl with --path-as-is and a URL like http://0.0.0.0:5000/../etc/passwd (or similar) can read arbitrary files [1]. No authentication is required; the attacker only needs network access to the server.
Impact
Successful exploitation leads to disclosure of critical secrets stored anywhere on the filesystem, such as configuration files, credentials, or application source code. This information can significantly aid in achieving remote code execution [1]. The impact is high confidentiality loss, with potential for full system compromise.
Mitigation
As of the publication date (2021-11-15), no official patch has been released. The issue was reported in GitHub issue #43 [1]. Users should avoid using the affected commit or apply input validation on the path and file parameters, such as restricting allowed characters and ensuring the resolved path stays within the intended directory. No CVE listing in KEV is mentioned.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- AlquistManager/AlquistManagerdescription
- Range: = 280d99f43b11378212652e75f6f3159cde9c1d36
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on attacker-controlled path and file parameters in a Flask route allows directory traversal via send_from_directory."
Attack vector
An unauthenticated remote attacker sends a crafted HTTP GET request to the Flask route `/<bot>/<path:path>/<file>` with `../` sequences in the path segment. The route passes the attacker-controlled `path` and `file` parameters directly to `send_from_directory("../client/" + path, file)` [ref_id=1]. Because no sanitization or whitelist is applied, the attacker can traverse outside the intended `../client/` directory and read arbitrary files on the filesystem, such as `/etc/passwd` [ref_id=1]. The attack requires only network access to the AlquistManager server (default port 5000) and no authentication or special privileges [ref_id=1].
Affected code
The vulnerability is in `alquist/IO/input.py` [ref_id=1]. The Flask route `/<bot>/<path:path>/<file>` calls `send_from_directory("../client/" + path, file)` where both `path` and `file` are attacker-controlled URL parameters [ref_id=1].
What the fix does
The advisory recommends restricting the `file` and `path` parameters to a fixed whitelist of allowed values [ref_id=1]. No patch commit is included in the bundle, so the exact fix is not shown; however, the remediation guidance makes clear that the root cause is the absence of input validation on the route parameters. A proper fix would validate that the resolved path stays within the intended directory before calling `send_from_directory`.
Preconditions
- networkAttacker must have network access to the AlquistManager server (default port 5000).
- authNo authentication required; the vulnerable route is publicly accessible.
- inputAttacker must be able to send crafted HTTP GET requests with ../ path traversal sequences.
Reproduction
curl -i --path-as-is -s -k -X $'GET' -H $'Host: 0.0.0.0:5000' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' $'http://0.0.0.0:5000/asd/../../../../../../../../etc/passwd' [ref_id=1]
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/AlquistManager/alquist/issues/43mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.