CVE-2025-8729 Overview
A path traversal vulnerability has been identified in MigoXLab LMeterX version 1.2.0, affecting the process_cert_files function within backend/service/upload_service.py. This vulnerability allows attackers to manipulate the task_id argument to traverse directories and potentially access or modify files outside the intended directory structure. The attack can be launched remotely by authenticated users, making it a significant security concern for deployments of this load testing tool.
Critical Impact
Remote attackers with low privileges can exploit path traversal via the task_id parameter to read or write files outside intended directories, potentially compromising system integrity and data confidentiality.
Affected Products
- MigoXLab LMeterX 1.2.0
Discovery Timeline
- August 8, 2025 - CVE-2025-8729 published to NVD
- September 16, 2025 - Last updated in NVD database
Technical Details for CVE-2025-8729
Vulnerability Analysis
This vulnerability resides in the file upload service component of LMeterX, specifically within the process_cert_files function in backend/service/upload_service.py. The application fails to properly sanitize and validate the task_id parameter before using it to construct file paths for certificate file operations. This oversight allows attackers to inject path traversal sequences (such as ../) into the task_id value, enabling them to escape the intended directory and access arbitrary locations on the file system.
The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common weakness that occurs when user-supplied input is used to construct file paths without adequate validation.
Root Cause
The root cause of this vulnerability is insufficient input validation on the task_id parameter within the file upload service. The process_cert_files function directly uses the user-supplied task_id value to construct file paths for certificate file storage and retrieval without sanitizing path traversal characters or validating that the resulting path remains within the expected directory boundaries.
Attack Vector
The attack can be conducted remotely over the network by an authenticated user with low privileges. An attacker can craft a malicious request to the upload API endpoint, providing a specially crafted task_id value containing directory traversal sequences. When processed by the vulnerable process_cert_files function, this allows the attacker to read sensitive files, overwrite configuration files, or potentially achieve code execution by placing malicious files in executable locations.
The security patch modifies the API endpoint handling in backend/api/api_upload.py to properly handle form data and implement validation:
from typing import List, Optional
-from fastapi import APIRouter, File, Request, UploadFile
+from fastapi import APIRouter, File, Form, Request, UploadFile
from model.upload import UploadFileRsp
from service.upload_service import upload_file_svc
Source: GitHub Commit
The patch also includes database schema changes to properly structure task storage with validated identifiers:
+SET NAMES utf8mb4;
+SET FOREIGN_KEY_CHECKS = 0;
+-- 确保数据库存在并使用该数据库
+CREATE DATABASE IF NOT EXISTS lmeterx;
+USE lmeterx;
+
+-- ----------------------------
+-- Table structure for tasks
+-- ----------------------------
+DROP TABLE IF EXISTS `tasks`;
+CREATE TABLE `tasks` (
+ `id` varchar(36) COLLATE utf8mb4_unicode_ci NOT NULL,
+ `name` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL,
+ `status` varchar(20) COLLATE utf8mb4_unicode_ci DEFAULT 'idle',
+ `target_host` varchar(255) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+ `model` varchar(100) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+ `system_prompt` longtext COLLATE utf8mb4_unicode_ci,
+ `user_prompt` longtext COLLATE utf8mb4_unicode_ci,
+ `stream_mode` varchar(20) COLLATE utf8mb4_unicode_ci DEFAULT 'True',
+ `concurrent_users` int(11) DEFAULT '1',
+ `spawn_rate` int(11) DEFAULT '0',
+ `duration` int(11) DEFAULT '60',
+ `chat_type` int(11) DEFAULT '0',
+ `log_file` longtext COLLATE utf8mb4_unicode_ci,
+ `result_file` longtext COLLATE utf8mb4_unicode_ci,
+ `cert_file` varchar(255) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+ `key_file` varchar(255) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+ `headers` json DEFAULT NULL,
+ `error_message` text COLLATE utf8mb4_unicode_ci,
+ `created_at` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
Source: GitHub Commit
Detection Methods for CVE-2025-8729
Indicators of Compromise
- Unusual HTTP requests to upload endpoints containing path traversal sequences (../, ..%2f, ..%5c) in task_id parameters
- File access or modification events in directories outside the LMeterX application's designated upload folders
- Web server logs showing requests with encoded directory traversal patterns targeting /api/upload endpoints
- Unexpected certificate files appearing in sensitive system directories
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns in API parameters
- Monitor application logs for requests to the upload service with suspicious task_id values containing special characters or encoded sequences
- Deploy file integrity monitoring on critical system directories to detect unauthorized file modifications
- Review FastAPI access logs for anomalous patterns targeting certificate upload functionality
Monitoring Recommendations
- Enable detailed logging for the upload service and process_cert_files function to capture all incoming task_id values
- Set up alerts for file system access attempts outside the designated upload directories by the LMeterX application process
- Monitor network traffic for unusual file upload patterns or large numbers of requests to the upload API endpoint
How to Mitigate CVE-2025-8729
Immediate Actions Required
- Update MigoXLab LMeterX to a patched version incorporating commit f1b00597e293d09452aabd4fa57f3185207350e8
- Review access logs for evidence of exploitation attempts targeting the upload service
- Restrict network access to the LMeterX application to trusted users and networks only
- Audit file system permissions to ensure the application runs with minimal required privileges
Patch Information
A security patch is available for this vulnerability. The fix is identified by commit hash f1b00597e293d09452aabd4fa57f3185207350e8 in the MigoXLab LMeterX repository. The patch addresses the input validation issues in the upload API by properly importing and utilizing FastAPI's Form handling and restructuring the database schema for proper task ID validation.
For detailed patch information, refer to:
Workarounds
- Implement a reverse proxy or WAF in front of LMeterX to filter requests containing path traversal sequences before they reach the application
- Restrict access to the upload API endpoints using network-level access controls or authentication requirements
- Apply strict file system permissions to limit the directories accessible by the LMeterX application process
# Configuration example - Restrict LMeterX upload directory permissions
chmod 750 /path/to/lmeterx/uploads
chown lmeterx:lmeterx /path/to/lmeterx/uploads
# Configure nginx to block path traversal attempts
# Add to nginx server block for LMeterX
location /api/upload {
if ($request_uri ~* "\.\.") {
return 403;
}
proxy_pass http://lmeterx_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

