GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.
PUBLISHED5.2CWE-22
GoDoxy has a Path Traversal Vulnerability in its File API
Problem type
Affected products
yusing
godoxy
< 0.27.5 - AFFECTED
References
https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v
https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v
https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059
https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059
https://github.com/yusing/godoxy/releases/tag/v0.27.5
https://github.com/yusing/godoxy/releases/tag/v0.27.5
GitHub Security Advisories
GHSA-4753-cmc8-8j9v
GoDoxy has a Path Traversal Vulnerability in its File API
https://github.com/advisories/GHSA-4753-cmc8-8j9vSummary
The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required").
An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID.
Root Cause
File: internal/api/v1/file/get.go, lines 68-73:
func (t FileType) GetPath(filename string) string {
if t == FileTypeMiddleware {
return path.Join(common.MiddlewareComposeBasePath, filename)
}
return path.Join(common.ConfigBasePath, filename)
}
common.ConfigBasePath = "config"— relative path, not absolutepath.Join("config", "../certs/key.pem")normalizes to"certs/key.pem"— escapingconfig/- No call to
strings.HasPrefix,filepath.Rel, or any containment check exists - The
format:"filename"struct tag is an OpenAPI/Swagger annotation only, not enforced by the validator
Proof of Concept
Environment
- GoDoxy v0.27.4 (
ghcr.io/yusing/godoxy:latest) - Authentication enabled with default credentials (
admin/password)
Steps to Reproduce
Step 1 — Authenticate:
Step 2 — Read file outside config/ via path traversal:
GET /api/v1/file/content?type=config&filename=../certs/secret-agent-key.pem HTTP/1.1
Host: localhost:8888
Cookie: godoxy_token=<JWT>
HTTP Response
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 43
Content-Type: application/godoxy+yaml
Expires: 0
Pragma: no-cache
THIS_IS_A_SECRET_PRIVATE_KEY_FOR_AGENT_TLS
Impact
Files accessible via this vulnerability
../certs/agents/{host}.zip
CA cert + server cert + TLS private key
Impersonate GoDoxy server to remote agents
../data/oauth_refresh_tokens.json
OIDC refresh tokens for all active sessions
Account takeover via token reuse
../../etc/ssl/certs/ca-certificates.crt
System CA certificates
Information disclosure
Any file readable by UID 1000
Depends on mounted volumes
Variable
The PUT /api/v1/file/content endpoint is also affected. While the content must pass YAML schema validation (config or provider format), an attacker can write valid provider YAML files outside config/, potentially injecting malicious route definitions.
Suggested Remediation
Validate that the resolved path remains within the base directory:
func (t FileType) GetPath(filename string) (string, error) {
var base string
if t == FileTypeMiddleware {
base = common.MiddlewareComposeBasePath
} else {
base = common.ConfigBasePath
}
absBase, _ := filepath.Abs(base)
resolved, _ := filepath.Abs(filepath.Join(base, filename))
if !strings.HasPrefix(resolved, absBase+string(filepath.Separator)) {
return "", fmt.Errorf("path traversal detected: %s", filename)
}
return resolved, nil
}
github.com
https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v
github.com
https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059
github.com
https://github.com/yusing/godoxy/releases/tag/v0.27.5
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-33528
github.com
https://github.com/advisories/GHSA-4753-cmc8-8j9v
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-33528Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-33528",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-03-26T19:24:50.452Z",
"dateReserved": "2026-03-20T18:05:11.830Z",
"datePublished": "2026-03-26T19:24:50.452Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-03-26T19:24:50.452Z"
},
"title": "GoDoxy has a Path Traversal Vulnerability in its File API",
"descriptions": [
{
"lang": "en",
"value": "GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue."
}
],
"affected": [
{
"vendor": "yusing",
"product": "godoxy",
"versions": [
{
"version": "< 0.27.5",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"cweId": "CWE-22",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v",
"name": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059",
"name": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5",
"name": "https://github.com/yusing/godoxy/releases/tag/v0.27.5",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
}
]
}
}
}