CVE-2025-6774

Overview

A path traversal vulnerability was discovered in the AddTemp function of api/template.go in sublinkX versions up to and including 1.8 [1][3]. The function concatenates user-supplied filename parameter directly with the ./template/ base path when writing files via os.WriteFile, without sanitizing for directory traversal sequences such as ../ [3]. This allows an attacker to escape the intended ./template/ directory.

Exploitation

An attacker can exploit this by sending a crafted HTTP request to the affected endpoint with a filename parameter containing path traversal sequences (e.g., ../../../../etc/pwn.123). No authentication is required to trigger the vulnerability, and the attack can be performed remotely over the network [1][3]. The vulnerability has been publicly disclosed along with a proof-of-concept, making exploitation straightforward [3].

Impact

Successful exploitation allows an attacker to write arbitrary file content (supplied via the text parameter) to any location on the server filesystem that the application process has write permissions for. This could lead to arbitrary code execution (e.g., overwriting critical application files, configuration files, or web shells), data manipulation, or denial of service [2][3]. The CVSS v3 base score is 6.3 (Medium), reflecting the high impact on confidentiality, integrity, and availability, albeit requiring some skill to chain with other actions [2].

Mitigation

The vulnerability is addressed in version 1.9 of sublinkX, released as a patched version. The fix is implemented in commit 778d26aef723daa58df98c8060c43f5bf5d1b10b [1]. Users are strongly recommended to upgrade to version 1.9 or later. No workarounds have been officially provided for older versions [1][2].