Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-35844

CVE-2023-35844: Lightdash Path Traversal Vulnerability

CVE-2023-35844 is a path traversal flaw in Lightdash that allows attackers to access unauthorized files via directory traversal. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2023-35844 Overview

CVE-2023-35844 is a path traversal vulnerability affecting Lightdash, an open-source business intelligence platform. The vulnerability exists in packages/backend/src/routers where insecure file endpoints fail to properly validate user-supplied input, allowing attackers to use .. directory traversal sequences to access arbitrary files on the server. Additionally, the application does not enforce that downloaded files have intended extensions (.csv or .png), enabling attackers to retrieve sensitive files outside the expected directories.

Critical Impact

This vulnerability allows unauthenticated remote attackers to read arbitrary files from the server, potentially exposing configuration files, credentials, application source code, and other sensitive data stored on the system.

Affected Products

  • Lightdash versions prior to 0.510.3
  • Lightdash packages/backend/src/routers component
  • All Lightdash deployments with exposed file download endpoints

Discovery Timeline

  • 2023-06-19 - CVE-2023-35844 published to NVD
  • 2024-12-12 - Last updated in NVD database

Technical Details for CVE-2023-35844

Vulnerability Analysis

This directory traversal vulnerability (CWE-22) exists in the file endpoint handlers within Lightdash's backend routing module. The vulnerability allows attackers to manipulate file path parameters to escape the intended directory structure and access files anywhere on the filesystem that the application has read permissions for.

The core issue stems from two security deficiencies: First, the application fails to sanitize or validate path components containing directory traversal sequences like ... Second, there is no enforcement of expected file extensions, meaning attackers are not restricted to retrieving only .csv or .png files as intended by the application design.

This vulnerability is network-accessible without requiring authentication, making it particularly dangerous for internet-exposed Lightdash instances. Successful exploitation could lead to disclosure of sensitive configuration files, database credentials, API keys, or other confidential information stored on the server.

Root Cause

The root cause is improper input validation in the file download endpoints within packages/backend/src/routers. The application directly uses user-supplied path parameters to construct file paths without sanitizing directory traversal sequences or validating that the resulting path remains within the intended directory. The lack of file extension validation compounds this issue by removing an additional layer of defense that could have limited exploitation.

Attack Vector

The attack is conducted over the network against Lightdash's HTTP endpoints. An attacker can craft malicious requests containing .. sequences in file path parameters to traverse directories and access arbitrary files. Since no authentication is required and the attack complexity is low, any attacker with network access to the Lightdash instance can exploit this vulnerability.

A typical attack scenario involves:

  1. Identifying a vulnerable Lightdash file endpoint
  2. Crafting a request with directory traversal sequences (e.g., ../../../etc/passwd)
  3. Receiving the contents of sensitive files in the response

The vulnerability allows high-impact confidentiality breaches as attackers can read any file accessible to the Lightdash process, including configuration files with database credentials, environment variables, and application secrets.

Detection Methods for CVE-2023-35844

Indicators of Compromise

  • HTTP requests to Lightdash file endpoints containing .. or %2e%2e sequences
  • Unusual file access patterns in application logs referencing paths outside expected directories
  • Access to sensitive system files like /etc/passwd, configuration files, or credential stores
  • Anomalous network traffic patterns to Lightdash instances from unexpected sources

Detection Strategies

  • Monitor web application firewall (WAF) logs for path traversal patterns in requests
  • Implement intrusion detection rules to alert on ../ sequences in URL parameters
  • Review Lightdash access logs for requests to file endpoints with suspicious path components
  • Deploy file integrity monitoring on sensitive configuration files and directories

Monitoring Recommendations

  • Enable verbose logging on Lightdash file endpoints to capture full request paths
  • Configure SIEM rules to correlate multiple path traversal attempts from the same source
  • Monitor for data exfiltration indicators following potential exploitation attempts
  • Implement real-time alerting for access to sensitive file paths from web application processes

How to Mitigate CVE-2023-35844

Immediate Actions Required

  • Upgrade Lightdash to version 0.510.3 or later immediately
  • If immediate patching is not possible, restrict network access to Lightdash instances
  • Review access logs for evidence of exploitation attempts
  • Audit any potentially exposed sensitive data and rotate credentials if necessary

Patch Information

Lightdash has addressed this vulnerability in version 0.510.3. The fix is available through GitHub Pull Request #5090 and the specific commit can be reviewed at GitHub Commit fcc808c84c2cc3afb343063e32a49440d32a553c. Release notes detailing changes between versions are available in the GitHub Release Comparison.

Additional technical details about this vulnerability can be found in the DW1 Security Advisory #59.

Workarounds

  • Place Lightdash behind a reverse proxy or WAF with path traversal filtering rules
  • Restrict access to Lightdash file download endpoints at the network level using firewall rules
  • Implement IP allowlisting to limit access to trusted networks only
  • Monitor and block requests containing directory traversal patterns (.., %2e%2e, etc.)
bash
# Example nginx configuration to block path traversal attempts
location /api/ {
    # Block requests containing path traversal sequences
    if ($request_uri ~* "\.\.") {
        return 403;
    }
    
    # Block URL-encoded traversal attempts
    if ($request_uri ~* "%2e%2e") {
        return 403;
    }
    
    proxy_pass http://lightdash_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne