VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 19, 2023· Updated Dec 11, 2024

CVE-2023-35844

CVE-2023-35844

Description

packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Lightdash before 0.510.3 allows directory traversal in file endpoints, enabling arbitrary file read.

Vulnerability

The vulnerability exists in the Slack image endpoint and CSV file endpoint in Lightdash versions before 0.510.3. The server constructs file paths by concatenating user-supplied parameters (imageId or fileId) to the /tmp directory without proper sanitization, allowing directory traversal sequences like .. to escape the intended directory. Additionally, the endpoints do not enforce that the file extension matches the expected type (.png for images, .csv for CSV files). [1][2]

Exploitation

An attacker can send a crafted request to the /slack/image/:imageId or /api/v1/projects/.../csv/:fileId endpoints with a path traversal payload in the parameter, such as ../../etc/passwd. No authentication is required for the Slack image endpoint; the attacker simply needs network access to the Lightdash server. The server will serve the file if it exists, or return an error message that reveals the file path existence. [1]

Impact

Successful exploitation allows an attacker to read arbitrary files on the server filesystem, including sensitive configuration files, credentials, or other data. This leads to information disclosure. The attacker gains no code execution directly, but the leaked information could be used for further attacks. [1]

Mitigation

The fix was implemented in commit fcc808c and released in Lightdash version 0.510.3 on April 14, 2023. The fix adds checks to ensure the fileId starts with csv- and ends with .csv, and the imageId starts with slack-image and ends with .png. It also sanitizes the parameter by removing .. sequences. Users should upgrade to version 0.510.3 or later. No workaround is provided for older versions. [2][3][4]

References
  1. CVE-2023-35844: Arbitrary File Read in Lightdash
  2. fix: add extra security to file endpoints (#5090) · lightdash/lightdash@fcc808c
  3. Comparing 0.510.2...0.510.3 · lightdash/lightdash
  4. fix: add extra security to file endpoints by rephus · Pull Request #5090 · lightdash/lightdash

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input validation and sanitization of user-supplied file identifiers allows directory traversal via `..` sequences."

Attack vector

An unauthenticated attacker sends a crafted HTTP GET request to the `/api/v1/slack/image/:imageId` endpoint (or the CSV file endpoint) with a URL-encoded path traversal payload in the `imageId` parameter, e.g., `slack-image%2F..%2F..%2F..%2Fetc%2Fpasswd` [ref_id=1]. The server joins this unsanitized value with `/tmp` and serves the resulting file if it exists, allowing arbitrary file read outside the intended directory [ref_id=1]. No authentication is required, and the only precondition is network access to the Lightdash server [ref_id=1].

Affected code

The vulnerable endpoints are in `/packages/backend/src/routers/slackRouter.ts` (the `/image/:imageId` route) and the CSV file endpoint in the project router. Both construct file paths by joining `/tmp` with the user-supplied parameter without sanitizing `..` traversal sequences or validating the file extension [ref_id=1][ref_id=2].

What the fix does

The patch [ref_id=2] adds two checks to each endpoint: the file ID must both start with the expected prefix (`csv-` or `slack-image`) AND end with the expected extension (`.csv` or `.png`). It also strips any `..` substrings from the file ID via `.replace('..', '')` before constructing the path. These changes prevent directory traversal and ensure only files matching the intended naming convention can be served [ref_id=2].

Preconditions

  • networkNetwork access to the Lightdash server's API endpoints
  • authNo authentication required

Reproduction

Send a curl request with a URL-encoded path traversal payload: `curl "https://localhost/api/v1/slack/image/slack-image%2F..%2F..%2F..%2Fetc%2Fpasswd"` [ref_id=1]. The server will return the contents of `/etc/passwd` if the file exists [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.