CVE-2024-47818
Description
Saltcorn is an extensible, open source, no-code database application builder. A logged-in user with any role can delete arbitrary files on the filesystem by calling the sync/clean_sync_dir endpoint. The dir_name POST parameter is not validated/sanitized and is used to construct the syncDir that is deleted by calling fs.rm. This issue has been addressed in release version 1.0.0-beta16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A logged-in user with any role can delete arbitrary files on the filesystem via the sync/clean_sync_dir endpoint due to insufficient input validation.
Vulnerability
Overview
CVE-2024-47818 is a path traversal vulnerability in Saltcorn, an open-source no-code database application builder. The root cause lies in the sync/clean_sync_dir endpoint, where the dir_name POST parameter is not validated or sanitized before being used to construct a file path. The code at packages/server/routes/sync.js (lines 337-346) joins dir_name with a base directory and passes the result to fs.rm with recursive: true and force: true, allowing deletion of arbitrary files and directories [4].
Exploitation
An attacker must be a logged-in user with any role (including low-privilege roles) and possess a valid session cookie and CSRF token. By supplying a dir_name value containing path traversal sequences (e.g., /../../../../tmp/secret), the attacker can cause the server to delete files outside the intended sync directory. The advisory provides a proof-of-concept curl request demonstrating this [3].
Impact
Successful exploitation allows an authenticated attacker to delete arbitrary files on the server's filesystem. This could lead to denial of service, data loss, or disruption of the application and underlying system. The vulnerability does not require administrative privileges, increasing its potential reach.
Mitigation
The issue has been addressed in Saltcorn release version 1.0.0-beta16. All users are advised to upgrade immediately. There are no known workarounds for this vulnerability [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@saltcorn/servernpm | < 1.0.0-beta.16 | 1.0.0-beta.16 |
Affected products
1Patches
20a48ceb965683c551261d0e2Merge commit from fork
2 files changed · +4 −2
packages/server/routes/eventlog.js+2 −1 modified@@ -41,6 +41,7 @@ const { i, th, pre, + text, } = require("@saltcorn/markup/tags"); const Table = require("@saltcorn/data/models/table"); const { send_events_page } = require("../markup/admin.js"); @@ -442,7 +443,7 @@ router.get( ) + div( { class: "eventpayload" }, - ev.payload ? pre(JSON.stringify(ev.payload, null, 2)) : "" + ev.payload ? pre(text(JSON.stringify(ev.payload, null, 2))) : "" ), }, });
packages/server/routes/sync.js+2 −1 modified@@ -335,13 +335,14 @@ router.post( "/clean_sync_dir", error_catcher(async (req, res) => { const { dir_name } = req.body; + const safe_dir_name = File.normalize(dir_name); try { const rootFolder = await File.rootFolder(); const syncDir = path.join( rootFolder.location, "mobile_app", "sync", - dir_name + safe_dir_name ); await fs.rm(syncDir, { recursive: true, force: true }); res.status(200).send("");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-43f3-h63w-p6f6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47818ghsaADVISORY
- github.com/saltcorn/saltcorn/blob/v1.0.0-beta.15/packages/server/routes/sync.jsnvdWEB
- github.com/saltcorn/saltcorn/commit/3c551261d0e230635774798009951fa83a07cc3anvdWEB
- github.com/saltcorn/saltcorn/security/advisories/GHSA-43f3-h63w-p6f6nvdWEB
News mentions
0No linked articles in our index yet.