Skip to main content
CVE Vulnerability Database

CVE-2024-2564: Pandax Path Traversal Vulnerability

CVE-2024-2564 is a critical path traversal vulnerability in PandaXGO PandaX that allows remote attackers to access unauthorized files. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-2564 Overview

CVE-2024-2564 is a path traversal vulnerability in PandaXGO PandaX through version 20240310. The flaw exists in the ExportUser function defined in /apps/system/api/user.go. Attackers can manipulate the filename argument to traverse directories using ../ sequences. The vulnerability is exploitable remotely without authentication and requires no user interaction. Public disclosure has occurred through the project's GitHub issue tracker and VulDB entry VDB-257063. The weakness is classified under [CWE-24] (Path Traversal: ../filedir).

Critical Impact

Remote, unauthenticated attackers can read or write files outside the intended export directory by injecting traversal sequences into the filename parameter of the user export endpoint.

Affected Products

  • PandaXGO PandaX versions up to and including 20240310
  • Component: /apps/system/api/user.go (ExportUser function)
  • Deployments exposing the PandaX system API to untrusted networks

Discovery Timeline

  • 2024-03-17 - CVE-2024-2564 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-2564

Vulnerability Analysis

The vulnerability resides in the ExportUser handler of the PandaX system API. The handler accepts a user-controlled filename parameter and uses it in a file system operation without sanitizing path separators or traversal sequences. By submitting values such as ../../etc/passwd or similar relative paths, an attacker influences the resolved file path outside the intended export directory.

Exploitation requires only network access to the exposed API endpoint. No authentication, privileges, or user interaction are required, which broadens the population of viable attackers. The EPSS probability is 0.507% with a percentile of 39.2, indicating limited observed exploitation activity at this time. The exploit details have been publicly disclosed via the GitHub Issue Tracker Entry and VulDB #257063.

Root Cause

The ExportUser function trusts the caller-supplied filename argument and concatenates or resolves it against a base path without normalizing the result or rejecting .. segments. Go's filepath.Clean is not applied, and there is no allowlist of permitted file names. As a result, the resolved path can escape the intended export directory boundary.

Attack Vector

An unauthenticated attacker issues an HTTP request to the user export endpoint with a crafted filename value containing directory traversal sequences. The application then opens, writes, or returns the file referenced by the attacker-controlled path. Depending on the file operation performed by ExportUser, the impact ranges from disclosure of sensitive configuration and credential files to overwriting application data on disk.

No verified proof-of-concept code is published in the NVD record. Refer to the PandaX GitHub Issue Tracker Entry for technical details of the disclosed exploitation path.

Detection Methods for CVE-2024-2564

Indicators of Compromise

  • HTTP requests to PandaX system API endpoints containing ../ or URL-encoded %2e%2e%2f sequences in the filename parameter
  • Access log entries referencing user export endpoints with unusual file extensions or absolute paths
  • Unexpected reads of sensitive files such as /etc/passwd, application configuration, or private key material by the PandaX service account
  • Files appearing outside the configured export directory with timestamps matching API request times

Detection Strategies

  • Inspect web access logs and WAF telemetry for traversal patterns targeting /apps/system/api/user routes
  • Correlate process and file-access telemetry from the PandaX host against expected export directories
  • Apply signatures for [CWE-24] path traversal in HTTP request inspection tooling

Monitoring Recommendations

  • Alert on any PandaX API request whose filename parameter contains path separators, .., or encoded variants
  • Monitor the PandaX service account for reads of files outside its working directory
  • Track outbound responses from the export endpoint that exceed normal export file sizes or content types

How to Mitigate CVE-2024-2564

Immediate Actions Required

  • Restrict network exposure of the PandaX system API to trusted management networks only
  • Place the PandaX application behind a reverse proxy or WAF that blocks traversal sequences in query and body parameters
  • Audit recent access logs for exploitation attempts against the ExportUser endpoint
  • Run the PandaX process under a least-privilege account that cannot read sensitive system files

Patch Information

No vendor-supplied patch is referenced in the NVD record at the time of publication. Track the upstream PandaX GitHub Issue Tracker Entry for a fix and upgrade to any release later than 20240310 once available. Until a fixed version is released, treat all PandaX deployments through 20240310 as vulnerable.

Workarounds

  • Add a request filter or WAF rule that rejects filename values containing /, \, .., or their URL-encoded forms
  • Constrain the export directory using filesystem permissions and a dedicated mount point with no parent-directory access
  • Disable or remove the user export endpoint if it is not required in your deployment
  • Apply egress controls on the host to prevent the service from reading sensitive files outside its working tree

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.