Skip to main content

CVE-2025-6773: Path Traversal in HKUDS LightRAG

Medium
VulnerabilityCVE-2025-6773cvecve-2025-6773
Published: Fri Jun 27 2025 (06/27/2025, 19:00:17 UTC)
Source: CVE Database V5
Vendor/Project: HKUDS
Product: LightRAG

Description

A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue.

AI-Powered Analysis

AILast updated: 06/27/2025, 19:24:33 UTC

Technical Analysis

CVE-2025-6773 is a path traversal vulnerability identified in the HKUDS LightRAG software, specifically affecting versions 1.3.0 through 1.3.8. The vulnerability resides in the upload_to_input_dir function within the file lightrag/api/routers/document_routes.py, which handles file uploads. By manipulating the file.filename argument, an attacker with local access can exploit this flaw to perform path traversal attacks. This means the attacker can craft a filename containing directory traversal sequences (e.g., ../) to escape the intended upload directory and write files to arbitrary locations on the host filesystem. Such unauthorized file writes can lead to overwriting critical files, injecting malicious code, or disrupting system operations. The vulnerability requires local host access and low privileges (PR:L), does not require user interaction (UI:N), and has limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The CVSS 4.0 base score is 4.8, categorizing it as medium severity. Although no known exploits are currently reported in the wild, the vulnerability is critical in nature due to the potential for arbitrary file writes. A patch has been identified (commit 60777d535b719631680bcf5d0969bdef79ca4eaf) and applying it is recommended to remediate the issue. The vulnerability does not involve network attack vectors and is limited to local exploitation, which reduces its risk profile but still poses a significant threat in environments where untrusted users have local access to systems running vulnerable LightRAG versions.

Potential Impact

For European organizations using HKUDS LightRAG versions 1.3.0 to 1.3.8, this vulnerability could allow local attackers or malicious insiders to write files outside the intended directories, potentially leading to unauthorized code execution, data corruption, or service disruption. This could compromise the integrity and availability of critical document management or processing workflows that LightRAG supports. In sectors with strict data protection regulations such as GDPR, unauthorized file manipulation could also lead to data breaches or compliance violations. Since the attack requires local access, the threat is particularly relevant for organizations with shared workstations, insufficient endpoint security, or weak internal access controls. The medium severity rating reflects the limited attack vector but does not diminish the risk in environments where local access controls are lax. European organizations in industries such as finance, healthcare, and government, where document integrity and availability are paramount, may face operational and reputational damage if exploited.

Mitigation Recommendations

1. Immediately apply the official patch identified by commit 60777d535b719631680bcf5d0969bdef79ca4eaf to all affected LightRAG installations to fix the path traversal vulnerability. 2. Restrict local access to systems running LightRAG to trusted users only, enforcing strict user authentication and authorization policies. 3. Implement file system monitoring and integrity checking on directories used by LightRAG to detect unauthorized file writes or modifications. 4. Employ application-level input validation and sanitization for file upload functionality to prevent malicious filename manipulation. 5. Use containerization or sandboxing techniques to isolate LightRAG processes, limiting the impact of potential exploitation. 6. Conduct regular security audits and penetration testing focusing on local privilege escalation and file upload mechanisms. 7. Educate internal users about the risks of local exploitation and enforce endpoint security best practices to reduce insider threat risks.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-27T10:22:28.489Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 685eec836f40f0eb726601af

Added to database: 6/27/2025, 7:09:55 PM

Last enriched: 6/27/2025, 7:24:33 PM

Last updated: 7/11/2025, 6:04:39 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats