CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-4g5x-hcwm-82jw: Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise

highCVSS 7.7CVE-2026-53553
Click here to jump to the Simplified Chinese version (点击跳转到简体中文版本) Goploy System Arbitrary File Read Vulnerability Basic Information - Vulnerability Name: Goploy Endpoints Arbitrary File Read via Path Traversal - Vulnerability Type: Path Traversal (CWE-22) / Arbitrary File Read - Affected Product: Goploy - Severity Level: High (CVSS V3 7.7) - Known Affected Versions: <=1.17.5 Vulnerability Description Goploy is an open-source automation deployment system. A severe path traversal vulnerability exists in its backend API endpoints, specifically /deploy/fileDiff (File Compare), when handling file paths provided by the client. The original logic of this endpoint is to read a local project file and compare it with a file on a remote target server. However, due to insufficient validation and sanitization of the filePath parameter, and the lack of security constraints on the final absolute file path, malicious paths containing ../ are directly executed within the system. This leads to a dual arbitrary file read issue: 1. Local Host File Read: os.ReadFile is tricked by the directory traversal payload to read any file via its absolute path on the Goploy local host (returned in the srcText field of the response body). 2. Remote Controlled Server File Read: Subsequently, the same payload is utilized via the SFTP protocol on the target server pointed to by the serverID. Influenced similarly by the directory traversal, it reads any file on the configured remote server (returned in the distText field of the response body). The threshold for exploiting this vulnerability is extremely low, and the conditions are very easily met. The system comes with a built-in member role upon default installation, which is granted the "File Compare" permission by default. This means that as long as a normal low-privileged user is added to the system, they inherently possess the basic privileges required to call the vulnerable endpoint. The only prerequisite for the attack is that at least one

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 7.7
Published
2026-07-07
Last updated
2026-07-07
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-4g5x-hcwm-82jw

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-53553coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories