CVE-2025-6773: 
Python vulnerability analysis and mitigation

A critical path traversal vulnerability was discovered in HKUDS LightRAG versions up to 1.3.8, identified as CVE-2025-6773. The vulnerability affects the uploadtoinputdir function in the file lightrag/api/routers/documentroutes.py component of the File Upload system. The issue was discovered on June 20, 2025, and disclosed on June 27, 2025. The vulnerability stems from insufficient validation of the file.filename parameter, which allows manipulation of file paths during upload operations ([Wiz], [VulDB]).

The vulnerability occurs in the uploadtoinputdir function where the destination file path is constructed using the operation filepath = docmanager.input_dir / file.filename. The filename parameter is user-controllable input, allowing manipulation to perform path traversal attacks. The vulnerability has received a CVSS v3.1 Base Score of 5.3 (MEDIUM) and a CVSS v4.0 score of 4.8 (MEDIUM). The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) ([VulDB], [GitHub Commit]).

The vulnerability enables attackers to upload files to arbitrary locations within the server's filesystem hierarchy, bypassing the intended input directory constraints. This could potentially lead to unauthorized access to sensitive files and directories outside the intended upload directory. The impact affects confidentiality, integrity, and availability of the system ([VulDB], [Wiz]).

A patch has been released with identifier 60777d535b719631680bcf5d0969bdef79ca4eaf. The fix includes implementing a new sanitize_filename() function that validates and cleans uploaded filenames by removing path separators, traversal sequences, and control characters. The patch also verifies that final paths stay within the input directory using Path.resolve(). It is recommended to upgrade to the patched version immediately ([GitHub Commit], [Wiz]).