CVE-2025-6773: 
Python vulnerability analysis and mitigation

A critical path traversal vulnerability was discovered in HKUDS LightRAG versions up to 1.3.8, identified as CVE-2025-6773. The vulnerability affects the uploadtoinputdir function in the file lightrag/api/routers/documentroutes.py component of the File Upload system. The issue was discovered on June 20, 2025, and a patch was released with identifier 60777d535b719631680bcf5d0969bdef79ca4eaf (GitHub Commit, VulDB).

The vulnerability stems from insufficient validation of the file.filename parameter in the uploadtoinputdir function. The destination file path is constructed using the operation filepath = docmanager.inputdir / file.filename, where the filename parameter is user-controllable input. This allows manipulation of the argument file.filename to perform path traversal attacks. The vulnerability has received a CVSS v3.1 Base Score of 5.3 (MEDIUM) and a CVSS v4.0 score of 4.8 (MEDIUM) (VulDB).

The vulnerability enables attackers to upload files to arbitrary locations within the server's filesystem hierarchy, bypassing the intended input directory constraints. This could potentially lead to unauthorized access to sensitive files and directories outside the intended upload directory. The impact affects confidentiality, integrity, and availability of the system (VulDB).

A patch has been released to address this vulnerability. The fix includes implementing a new sanitize_filename() function that validates and cleans uploaded filenames by removing path separators, traversal sequences, and control characters. The patch also verifies that final paths stay within the input directory using Path.resolve(). It is recommended to upgrade to the patched version and apply the commit 60777d535b719631680bcf5d0969bdef79ca4eaf (GitHub Commit).