GHSA-gj54-gwj9-x2c6: 
vulnerability analysis and mitigation

A high severity vulnerability (GHSA-gj54-gwj9-x2c6) was discovered in eKuiper's /config/uploads API, affecting versions <= 1.14.7 and < 2.2.0 of the software. The vulnerability was published and reviewed on July 3, 2025, with a CVSS score of 7.3. The issue lies in the API's handling of file uploads, which lacks proper security restrictions (GitHub Advisory).

The vulnerability stems from the /config/uploads API's ability to access remote web URLs and save files in the local upload directory without proper security restrictions. The core issue is in the fileUploadHandler function where the fc.Name parameter is not safely filtered, allowing for path traversal attacks. The vulnerability has been assigned a CVSS v4 base score of 7.3, with attack vector being Network, attack complexity Low, and requiring High privileges but no user interaction (GitHub Advisory).

The vulnerability enables arbitrary file writing through directory traversal (../) attacks. When the application runs with root privileges, it can lead to Remote Code Execution (RCE) by writing crontab files or ssh keys. The impact metrics indicate High severity for Confidentiality, Integrity, and Availability of the vulnerable system (GitHub Advisory).

The vulnerability has been patched in version 2.2.0 of eKuiper. Users are advised to upgrade to this version to mitigate the risk (GitHub Advisory).

The vulnerability was reported by m0d9 from Tencent YunDing Lab, demonstrating active security research involvement from major technology companies (GitHub Advisory).