CVE-2025-7450

The ResetUserAvatar function in controller/api/v1/user.go of gorobbs (up to version 1.0.8) is vulnerable to path traversal. The code constructs a file path by directly concatenating the user-supplied filename parameter from the uploaded avatar file with a base directory (upload/avatar/). No sanitization or validation is performed to prevent directory traversal sequences (e.g., ../), allowing the filename to escape the intended upload directory [1].

An unauthenticated remote attacker can exploit this by crafting the filename parameter with path traversal patterns. For example, setting the filename to ../../../../etc/pwn.png and the user id parameter to ../../../ enables writing a file to an arbitrary location on the server [1]. The endpoint is publicly accessible and does not require authentication to trigger the file write operation, as shown in the referenced code block [1].

Successful exploitation permits writing arbitrary file content to any directory the web server process can write to. This can lead to remote code execution if an attacker writes a malicious script (e.g., a PHP or shell file) into a web-accessible directory, or overwrites critical system files [1]. The vendor advisory and public exploit disclosure confirm the critical nature of the vulnerability [1].

As of the publication date, the vendor has not released a patch; the issue remains open in the project's GitHub repository. Users are advised to restrict access to the /api/v1/user endpoint, implement rigorous input validation for file uploads, and monitor the repository for a fix [1].