CVE-2022-25377
Description
Appwrite 0.5.0–0.12.1 ACME-challenge endpoint allowed unauthenticated directory traversal to read arbitrary files when the cert path existed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Appwrite 0.5.0–0.12.1 ACME-challenge endpoint allowed unauthenticated directory traversal to read arbitrary files when the cert path existed.
CVE-2022-25377 is a directory traversal vulnerability in Appwrite's ACME-challenge endpoint, affecting versions 0.5.0 through 0.12.1. The endpoint fails to properly validate file paths, allowing an attacker to use ../ sequences to escape the intended directory and read arbitrary local files [1].
Exploitation requires that the path APP_STORAGE_CERTIFICATES/.well-known/acme-challenge exists on disk, which is automatically created if the administrator installs Let's Encrypt certificates via Appwrite. No authentication is needed to trigger the vulnerability [4].
An unauthenticated remote attacker can read sensitive files such as /etc/passwd, potentially exposing system credentials or configuration data. A proof-of-concept published by dubell.io demonstrates the attack [4].
The vulnerability was fixed in Appwrite version 0.12.2 via pull request #2780, which introduced proper path validation [3]. Users are advised to upgrade to 0.12.2 or later to mitigate the risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
appwrite/server-cePackagist | >= 0.5.0, < 0.12.2 | 0.12.2 |
Affected products
2- Appwrite/Appwritedescription
Patches
1892f6fa4ba0dMerge pull request #2780 from appwrite/0.12-acme-fix
1 file changed · +19 −1
app/controllers/general.php+19 −1 modified@@ -7,6 +7,7 @@ use Utopia\Logger\Log\User; use Appwrite\Utopia\Request; use Appwrite\Utopia\Response; +use Utopia\Validator\Text; use Appwrite\Utopia\View; use Utopia\Exception; use Utopia\Config\Config; @@ -524,9 +525,26 @@ ->inject('request') ->inject('response') ->action(function ($request, $response) { + $uriChunks = \explode('/', $request->getURI()); + $token = $uriChunks[\count($uriChunks) - 1]; + + $validator = new Text(100, [ + ...Text::NUMBERS, + ...Text::ALPHABET_LOWER, + ...Text::ALPHABET_UPPER, + '-', + '_' + ]); + + if (!$validator->isValid($token) || \count($uriChunks) !== 4) { + throw new Exception('Invalid challenge token.', 400); + } + + $filePath = '/.well-known/acme-challenge' . $token; + $base = \realpath(APP_STORAGE_CERTIFICATES); $path = \str_replace('/.well-known/acme-challenge/', '', $request->getURI()); - $absolute = \realpath($base.'/.well-known/acme-challenge/'.$path); + $absolute = \realpath($base.'/.well-known/acme-challenge/'.$filePath); if (!$base) { throw new Exception('Storage error', 500);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-wfm3-gq9h-mrjmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25377ghsaADVISORY
- dubell.io/unauthenticated-lfi-in-appwrite-0.5.0-0.12.1ghsaWEB
- github.com/appwrite/appwrite/blob/0.12.0/app/controllers/general.phpghsaWEB
- github.com/appwrite/appwrite/commit/892f6fa4ba0d44e2435ffad1a84542400cfb7a9bghsaWEB
- github.com/appwrite/appwrite/pull/2780ghsaWEB
- github.com/appwrite/appwrite/releases/tag/0.12.2ghsaWEB
- dubell.io/unauthenticated-lfi-in-appwrite-0.5.0-0.12.1/mitre
News mentions
0No linked articles in our index yet.