CVE-2025-53363

dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.

CVSS

No CVSS.

References

Link	Resource
https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) dpanel es un panel de administración de servidores de código abierto escrito en Go. En las versiones 1.2.0 a 1.7.2, dpanel permite a los usuarios autenticados leer archivos arbitrarios del servidor a través del endpoint de la API /api/app/compose/get-from-uri. La vulnerabilidad existe en la función GetFromUri de app/application/http/controller/compose.go, donde el parámetro uri se pasa directamente a os.ReadFile sin la validación ni el control de acceso adecuados. Un atacante con sesión iniciada puede explotar esta vulnerabilidad para leer archivos confidenciales del sistema host, lo que puede provocar la divulgación de información. No hay ninguna versión parcheada disponible al momento de escribir este artículo.

22 Aug 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-22 16:15

Updated : 2026-04-29 01:00

NVD link : CVE-2025-53363

Mitre link : CVE-2025-53363

CVE.ORG link : CVE-2025-53363

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

{"id": "CVE-2025-53363", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-22T16:15:44.887", "references": [{"url": "https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing."}, {"lang": "es", "value": "dpanel es un panel de administraci\u00f3n de servidores de c\u00f3digo abierto escrito en Go. En las versiones 1.2.0 a 1.7.2, dpanel permite a los usuarios autenticados leer archivos arbitrarios del servidor a trav\u00e9s del endpoint de la API /api/app/compose/get-from-uri. La vulnerabilidad existe en la funci\u00f3n GetFromUri de app/application/http/controller/compose.go, donde el par\u00e1metro uri se pasa directamente a os.ReadFile sin la validaci\u00f3n ni el control de acceso adecuados. Un atacante con sesi\u00f3n iniciada puede explotar esta vulnerabilidad para leer archivos confidenciales del sistema host, lo que puede provocar la divulgaci\u00f3n de informaci\u00f3n. No hay ninguna versi\u00f3n parcheada disponible al momento de escribir este art\u00edculo."}], "lastModified": "2026-04-29T01:00:01.613", "sourceIdentifier": "security-advisories@github.com"}