CVE-2025-6773: Path Traversal in HKUDS LightRAG
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue.
AI Analysis
Technical Summary
CVE-2025-6773 is a path traversal vulnerability identified in the HKUDS LightRAG software, specifically affecting versions 1.3.0 through 1.3.8. The vulnerability resides in the upload_to_input_dir function within the file lightrag/api/routers/document_routes.py, which handles file uploads. By manipulating the file.filename argument, an attacker with local access can exploit this flaw to perform path traversal attacks. This means the attacker can craft a filename containing directory traversal sequences (e.g., ../) to escape the intended upload directory and write files to arbitrary locations on the host filesystem. Such unauthorized file writes can lead to overwriting critical files, injecting malicious code, or disrupting system operations. The vulnerability requires local host access and low privileges (PR:L), does not require user interaction (UI:N), and has limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The CVSS 4.0 base score is 4.8, categorizing it as medium severity. Although no known exploits are currently reported in the wild, the vulnerability is critical in nature due to the potential for arbitrary file writes. A patch has been identified (commit 60777d535b719631680bcf5d0969bdef79ca4eaf) and applying it is recommended to remediate the issue. The vulnerability does not involve network attack vectors and is limited to local exploitation, which reduces its risk profile but still poses a significant threat in environments where untrusted users have local access to systems running vulnerable LightRAG versions.
Potential Impact
For European organizations using HKUDS LightRAG versions 1.3.0 to 1.3.8, this vulnerability could allow local attackers or malicious insiders to write files outside the intended directories, potentially leading to unauthorized code execution, data corruption, or service disruption. This could compromise the integrity and availability of critical document management or processing workflows that LightRAG supports. In sectors with strict data protection regulations such as GDPR, unauthorized file manipulation could also lead to data breaches or compliance violations. Since the attack requires local access, the threat is particularly relevant for organizations with shared workstations, insufficient endpoint security, or weak internal access controls. The medium severity rating reflects the limited attack vector but does not diminish the risk in environments where local access controls are lax. European organizations in industries such as finance, healthcare, and government, where document integrity and availability are paramount, may face operational and reputational damage if exploited.
Mitigation Recommendations
1. Immediately apply the official patch identified by commit 60777d535b719631680bcf5d0969bdef79ca4eaf to all affected LightRAG installations to fix the path traversal vulnerability. 2. Restrict local access to systems running LightRAG to trusted users only, enforcing strict user authentication and authorization policies. 3. Implement file system monitoring and integrity checking on directories used by LightRAG to detect unauthorized file writes or modifications. 4. Employ application-level input validation and sanitization for file upload functionality to prevent malicious filename manipulation. 5. Use containerization or sandboxing techniques to isolate LightRAG processes, limiting the impact of potential exploitation. 6. Conduct regular security audits and penetration testing focusing on local privilege escalation and file upload mechanisms. 7. Educate internal users about the risks of local exploitation and enforce endpoint security best practices to reduce insider threat risks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Belgium, Sweden
CVE-2025-6773: Path Traversal in HKUDS LightRAG
Description
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-6773 is a path traversal vulnerability identified in the HKUDS LightRAG software, specifically affecting versions 1.3.0 through 1.3.8. The vulnerability resides in the upload_to_input_dir function within the file lightrag/api/routers/document_routes.py, which handles file uploads. By manipulating the file.filename argument, an attacker with local access can exploit this flaw to perform path traversal attacks. This means the attacker can craft a filename containing directory traversal sequences (e.g., ../) to escape the intended upload directory and write files to arbitrary locations on the host filesystem. Such unauthorized file writes can lead to overwriting critical files, injecting malicious code, or disrupting system operations. The vulnerability requires local host access and low privileges (PR:L), does not require user interaction (UI:N), and has limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The CVSS 4.0 base score is 4.8, categorizing it as medium severity. Although no known exploits are currently reported in the wild, the vulnerability is critical in nature due to the potential for arbitrary file writes. A patch has been identified (commit 60777d535b719631680bcf5d0969bdef79ca4eaf) and applying it is recommended to remediate the issue. The vulnerability does not involve network attack vectors and is limited to local exploitation, which reduces its risk profile but still poses a significant threat in environments where untrusted users have local access to systems running vulnerable LightRAG versions.
Potential Impact
For European organizations using HKUDS LightRAG versions 1.3.0 to 1.3.8, this vulnerability could allow local attackers or malicious insiders to write files outside the intended directories, potentially leading to unauthorized code execution, data corruption, or service disruption. This could compromise the integrity and availability of critical document management or processing workflows that LightRAG supports. In sectors with strict data protection regulations such as GDPR, unauthorized file manipulation could also lead to data breaches or compliance violations. Since the attack requires local access, the threat is particularly relevant for organizations with shared workstations, insufficient endpoint security, or weak internal access controls. The medium severity rating reflects the limited attack vector but does not diminish the risk in environments where local access controls are lax. European organizations in industries such as finance, healthcare, and government, where document integrity and availability are paramount, may face operational and reputational damage if exploited.
Mitigation Recommendations
1. Immediately apply the official patch identified by commit 60777d535b719631680bcf5d0969bdef79ca4eaf to all affected LightRAG installations to fix the path traversal vulnerability. 2. Restrict local access to systems running LightRAG to trusted users only, enforcing strict user authentication and authorization policies. 3. Implement file system monitoring and integrity checking on directories used by LightRAG to detect unauthorized file writes or modifications. 4. Employ application-level input validation and sanitization for file upload functionality to prevent malicious filename manipulation. 5. Use containerization or sandboxing techniques to isolate LightRAG processes, limiting the impact of potential exploitation. 6. Conduct regular security audits and penetration testing focusing on local privilege escalation and file upload mechanisms. 7. Educate internal users about the risks of local exploitation and enforce endpoint security best practices to reduce insider threat risks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-27T10:22:28.489Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 685eec836f40f0eb726601af
Added to database: 6/27/2025, 7:09:55 PM
Last enriched: 6/27/2025, 7:24:33 PM
Last updated: 7/11/2025, 6:04:39 AM
Views: 12
Related Threats
CVE-2025-7475: SQL Injection in code-projects Simple Car Rental System
MediumCVE-2025-7474: SQL Injection in code-projects Job Diary
MediumCVE-2025-7471: SQL Injection in code-projects Modern Bag
MediumCVE-2025-36104: CWE-277 Insecure Inherited Permissions in IBM Storage Scale
MediumCVE-2025-7470: Unrestricted Upload in Campcodes Sales and Inventory System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.