GHSA-gj54-gwj9-x2c6: eKuiper /config/uploads API arbitrary file writing may lead to RCE

July 3, 2025

eKuiper /config/uploads API supports accessing remote web URLs and saving files in the local upload directory, but there are no security restrictions, resulting in arbitrary file writing through ../. If run with root privileges, RCE can be achieved by writing crontab files or ssh keys.

References

github.com/advisories/GHSA-gj54-gwj9-x2c6
github.com/lf-edge/ekuiper
github.com/lf-edge/ekuiper/security/advisories/GHSA-gj54-gwj9-x2c6

Code Behaviors & Features

Detect and mitigate GHSA-gj54-gwj9-x2c6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →