CVE-2025-6773 is a path traversal vulnerability identified in the HKUDS LightRAG software, specifically affecting versions 1.3.0 through 1.3.8. The vulnerability resides in the upload_to_input_dir function within the file lightrag/api/routers/document_routes.py, which handles file uploads. By manipulating the file.filename argument, an attacker with local access can exploit this flaw to perform path traversal attacks. This means the attacker can craft a filename containing directory traversal sequences (e.g., ../) to escape the intended upload directory and write files to arbitrary locations on the host filesystem. Such unauthorized file writes can lead to overwriting critical files, injecting malicious code, or disrupting system operations. The vulnerability requires local host access and low privileges (PR:L), does not require user interaction (UI:N), and has limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The CVSS 4.0 base score is 4.8, categorizing it as medium severity. Although no known exploits are currently reported in the wild, the vulnerability is critical in nature due to the potential for arbitrary file writes. A patch has been identified (commit 60777d535b719631680bcf5d0969bdef79ca4eaf) and applying it is recommended to remediate the issue. The vulnerability does not involve network attack vectors and is limited to local exploitation, which reduces its risk profile but still poses a significant threat in environments where untrusted users have local access to systems running vulnerable LightRAG versions.

For European organizations using HKUDS LightRAG versions 1.3.0 to 1.3.8, this vulnerability could allow local attackers or malicious insiders to write files outside the intended directories, potentially leading to unauthorized code execution, data corruption, or service disruption. This could compromise the integrity and availability of critical document management or processing workflows that LightRAG supports. In sectors with strict data protection regulations such as GDPR, unauthorized file manipulation could also lead to data breaches or compliance violations. Since the attack requires local access, the threat is particularly relevant for organizations with shared workstations, insufficient endpoint security, or weak internal access controls. The medium severity rating reflects the limited attack vector but does not diminish the risk in environments where local access controls are lax. European organizations in industries such as finance, healthcare, and government, where document integrity and availability are paramount, may face operational and reputational damage if exploited.

1. Immediately apply the official patch identified by commit 60777d535b719631680bcf5d0969bdef79ca4eaf to all affected LightRAG installations to fix the path traversal vulnerability. 2. Restrict local access to systems running LightRAG to trusted users only, enforcing strict user authentication and authorization policies. 3. Implement file system monitoring and integrity checking on directories used by LightRAG to detect unauthorized file writes or modifications. 4. Employ application-level input validation and sanitization for file upload functionality to prevent malicious filename manipulation. 5. Use containerization or sandboxing techniques to isolate LightRAG processes, limiting the impact of potential exploitation. 6. Conduct regular security audits and penetration testing focusing on local privilege escalation and file upload mechanisms. 7. Educate internal users about the risks of local exploitation and enforce endpoint security best practices to reduce insider threat risks.