CVE-2025-7452
Description
A vulnerability was found in kone-net go-chat up to f9e58d0afa9bbdb31faf25e7739da330692c4c63. It has been declared as critical. This vulnerability affects the function GetFile of the file go-chat/api/v1/file_controller.go of the component Endpoint. The manipulation of the argument fileName leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
go-chat up to commit f9e58d0afa9 is vulnerable to path traversal in the GetFile endpoint, allowing remote unauthenticated arbitrary file read.
Vulnerability
The vulnerability resides in the GetFile function of go-chat/api/v1/file_controller.go in the kone-net/go-chat project (rolling release up to commit f9e58d0afa9). The endpoint accepts a fileName parameter and uses ioutil.ReadFile to read the file without any validation or sanitization. This allows an attacker to supply path traversal sequences (e.g., ../../../../etc/passwd) to read files outside the intended directory [1][2].
Exploitation
The attack is remotely exploitable with no authentication required. By sending a GET request to /file/../../../../etc/passwd, an attacker can read arbitrary files from the server's filesystem. The lack of input validation on the fileName parameter directly enables this directory traversal attack [1][2].
Impact
An attacker can read sensitive files on the server, such as /etc/passwd, configuration files, or any other file readable by the application process. This may lead to disclosure of secrets, credentials, or system information that could facilitate further compromise. The official description and references classify this as a critical issue [1][2].
Mitigation
At the time of publication, no patched release is available; the project uses a rolling release model, and the latest commit at disclosure was f9e58d0afa9. Users should implement input validation or sanitization on the fileName parameter, restrict allowed paths, or apply file access controls as a workaround until a fix is provided [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.