Skip to main content
CVE Vulnerability Database

CVE-2025-8729: Migoxlab Lmeterx Path Traversal Flaw

CVE-2025-8729 is a critical path traversal vulnerability in Migoxlab Lmeterx 1.2.0 affecting the upload service. Attackers can remotely exploit this flaw to access unauthorized files. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-8729 Overview

A path traversal vulnerability has been identified in MigoXLab LMeterX version 1.2.0, affecting the process_cert_files function within backend/service/upload_service.py. This vulnerability allows attackers to manipulate the task_id argument to traverse directories and potentially access or modify files outside the intended directory structure. The attack can be launched remotely by authenticated users, making it a significant security concern for deployments of this load testing tool.

Critical Impact

Remote attackers with low privileges can exploit path traversal via the task_id parameter to read or write files outside intended directories, potentially compromising system integrity and data confidentiality.

Affected Products

  • MigoXLab LMeterX 1.2.0

Discovery Timeline

  • August 8, 2025 - CVE-2025-8729 published to NVD
  • September 16, 2025 - Last updated in NVD database

Technical Details for CVE-2025-8729

Vulnerability Analysis

This vulnerability resides in the file upload service component of LMeterX, specifically within the process_cert_files function in backend/service/upload_service.py. The application fails to properly sanitize and validate the task_id parameter before using it to construct file paths for certificate file operations. This oversight allows attackers to inject path traversal sequences (such as ../) into the task_id value, enabling them to escape the intended directory and access arbitrary locations on the file system.

The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common weakness that occurs when user-supplied input is used to construct file paths without adequate validation.

Root Cause

The root cause of this vulnerability is insufficient input validation on the task_id parameter within the file upload service. The process_cert_files function directly uses the user-supplied task_id value to construct file paths for certificate file storage and retrieval without sanitizing path traversal characters or validating that the resulting path remains within the expected directory boundaries.

Attack Vector

The attack can be conducted remotely over the network by an authenticated user with low privileges. An attacker can craft a malicious request to the upload API endpoint, providing a specially crafted task_id value containing directory traversal sequences. When processed by the vulnerable process_cert_files function, this allows the attacker to read sensitive files, overwrite configuration files, or potentially achieve code execution by placing malicious files in executable locations.

The security patch modifies the API endpoint handling in backend/api/api_upload.py to properly handle form data and implement validation:

python
from typing import List, Optional

-from fastapi import APIRouter, File, Request, UploadFile
+from fastapi import APIRouter, File, Form, Request, UploadFile

from model.upload import UploadFileRsp
from service.upload_service import upload_file_svc

Source: GitHub Commit

The patch also includes database schema changes to properly structure task storage with validated identifiers:

sql
+SET NAMES utf8mb4;
+SET FOREIGN_KEY_CHECKS = 0;
+-- 确保数据库存在并使用该数据库
+CREATE DATABASE IF NOT EXISTS lmeterx;
+USE lmeterx;
+
+-- ----------------------------
+-- Table structure for tasks
+-- ----------------------------
+DROP TABLE IF EXISTS `tasks`;
+CREATE TABLE `tasks` (
+  `id` varchar(36) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `name` varchar(100) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `status` varchar(20) COLLATE utf8mb4_unicode_ci DEFAULT 'idle',
+  `target_host` varchar(255) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+  `model` varchar(100) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+  `system_prompt` longtext COLLATE utf8mb4_unicode_ci,
+  `user_prompt` longtext COLLATE utf8mb4_unicode_ci,
+  `stream_mode` varchar(20) COLLATE utf8mb4_unicode_ci DEFAULT 'True',
+  `concurrent_users` int(11) DEFAULT '1',
+  `spawn_rate` int(11) DEFAULT '0',
+  `duration` int(11) DEFAULT '60',
+  `chat_type` int(11) DEFAULT '0',
+  `log_file` longtext COLLATE utf8mb4_unicode_ci,
+  `result_file` longtext COLLATE utf8mb4_unicode_ci,
+  `cert_file` varchar(255) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+  `key_file` varchar(255) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
+  `headers` json DEFAULT NULL,
+  `error_message` text COLLATE utf8mb4_unicode_ci,
+  `created_at` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,

Source: GitHub Commit

Detection Methods for CVE-2025-8729

Indicators of Compromise

  • Unusual HTTP requests to upload endpoints containing path traversal sequences (../, ..%2f, ..%5c) in task_id parameters
  • File access or modification events in directories outside the LMeterX application's designated upload folders
  • Web server logs showing requests with encoded directory traversal patterns targeting /api/upload endpoints
  • Unexpected certificate files appearing in sensitive system directories

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns in API parameters
  • Monitor application logs for requests to the upload service with suspicious task_id values containing special characters or encoded sequences
  • Deploy file integrity monitoring on critical system directories to detect unauthorized file modifications
  • Review FastAPI access logs for anomalous patterns targeting certificate upload functionality

Monitoring Recommendations

  • Enable detailed logging for the upload service and process_cert_files function to capture all incoming task_id values
  • Set up alerts for file system access attempts outside the designated upload directories by the LMeterX application process
  • Monitor network traffic for unusual file upload patterns or large numbers of requests to the upload API endpoint

How to Mitigate CVE-2025-8729

Immediate Actions Required

  • Update MigoXLab LMeterX to a patched version incorporating commit f1b00597e293d09452aabd4fa57f3185207350e8
  • Review access logs for evidence of exploitation attempts targeting the upload service
  • Restrict network access to the LMeterX application to trusted users and networks only
  • Audit file system permissions to ensure the application runs with minimal required privileges

Patch Information

A security patch is available for this vulnerability. The fix is identified by commit hash f1b00597e293d09452aabd4fa57f3185207350e8 in the MigoXLab LMeterX repository. The patch addresses the input validation issues in the upload API by properly importing and utilizing FastAPI's Form handling and restructuring the database schema for proper task ID validation.

For detailed patch information, refer to:

Workarounds

  • Implement a reverse proxy or WAF in front of LMeterX to filter requests containing path traversal sequences before they reach the application
  • Restrict access to the upload API endpoints using network-level access controls or authentication requirements
  • Apply strict file system permissions to limit the directories accessible by the LMeterX application process
bash
# Configuration example - Restrict LMeterX upload directory permissions
chmod 750 /path/to/lmeterx/uploads
chown lmeterx:lmeterx /path/to/lmeterx/uploads

# Configure nginx to block path traversal attempts
# Add to nginx server block for LMeterX
location /api/upload {
    if ($request_uri ~* "\.\.") {
        return 403;
    }
    proxy_pass http://lmeterx_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.