VvvebJs icon indicating copy to clipboard operation
VvvebJs copied to clipboard
verified publisher icon givanz

Directory Traversal in /save.php allows arbitrary file write via file parameter

Open enigma522 opened this issue 8 months ago • 1 comments

VvvebJs suffers from a directory traversal vulnerability in the /save.php endpoint. The issue allows remote attackers to write arbitrary files outside the intended directory via the file POST parameter due to insufficient sanitization of user input.

This vulnerability exists only when the application is run using Node.js, following the project documentation (node save.js).

POC:

# Start the application with:
node save.js

# Send the malicious request:
curl -X POST http://localhost:8080/save.php \
  -d 'file=../flag.txt&html=exploit'

This will create a file named flag.txt one level above the server root, demonstrating path traversal and arbitrary file write.

enigma522 avatar Jul 16 '25 11:07 enigma522

Thanks for the vulnerability report.

givanz avatar Aug 09 '25 23:08 givanz