Listen to this Post
This vulnerability exists within the shard movement and file replication functionality of the Weaviate database. During the process of transferring a shard (a subset of data) between nodes, the system enters a “Pause file activity” state. In this state, the FileReplicationService on the source node remains reachable to handle requests for file transfers. The issue is a lack of proper input sanitization and path validation for the `fileName` parameter in the transfer logic, specifically in the `GetFile` method. An attacker who can authenticate or otherwise reach this API endpoint can manipulate the `fileName` field to include directory traversal sequences, such as ../../../. Because the service does not validate that the requested file path is within the intended shard directory, the request can escape the intended data directory. This allows the attacker to read arbitrary files on the server’s filesystem that are accessible under the same user permissions as the Weaviate service process. The severity is high as it leads to unauthorized disclosure of sensitive system or application files without requiring additional privileges beyond network access to the service endpoint.
Platform: Weaviate OSS
Version: 1.30.0-1.33.4
Vulnerability: Path Traversal
Severity: High
date: Dec 12, 2025
Prediction: Patched Dec 2025
What Undercode Say:
curl -X GET "http://target:8080/v1/file-replication/..."
fileName=../../../etc/passwd
GET /v1/file-replication/shard/transfer?file=../../config
How Exploit:
1. Identify reachable Weaviate node.
2. Trigger shard transfer state.
3. Craft malicious `fileName` request.
4. Request sensitive system files.
Protection from this CVE
Update to patched versions.
Implement network segmentation.
Validate all file path inputs.
Impact:
Arbitrary File Read.
Information Disclosure.
Privilege Escalation potential.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
