Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-824x-88xg-cwrv

Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
Back to all
CVE

GHSA-824x-88xg-cwrv

Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read

Summary

Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality.

<img width="664" height="899" alt="image" src="https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5" />

<img width="2358" height="445" alt="image" src="https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb" />

Details

The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories.  

An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive.

Vulnerable code:

  • redaxo/src/addons/backup/pages/export.php (lines 72-76) – directly uses $_POST['EXPDIR']
  • redaxo/src/addons/backup/lib/backup.php (lines ~413 & ~427) – concatenates unsanitized user input with base path

This allows disclosure of sensitive files such as:

  • redaxo/data/core/config.yml → database credentials + password hashes of all backend users
  • .env, custom configuration files, logs, uploaded malicious files, etc.

Affected versions

≤ 5.20.1 (confirmed working)

Patched versions

None (as of 2025-12-09)

PoC – Extracting database credentials and password hashes

  1. Log in as any user with Backup permission
  2. Go to Backup → Export → Files

<img width="1240" height="960" alt="image" src="https://github.com/user-attachments/assets/bc05ba18-9664-4be2-b637-4fec3a0f409a" />

  1. Intercept the request with Burp Suite 

<img width="2184" height="478" alt="image" src="https://github.com/user-attachments/assets/9fa754a1-2cd0-4d3d-a5cc-cfa34c8a1718" />

  1. Change one EXPDIR[] value to ../../../../var/www/html/redaxo/data/core

<img width="978" height="591" alt="image" src="https://github.com/user-attachments/assets/d15f5c7f-b72c-44cc-9be2-da8d3f26f124" />

  1. Send request → download archive

<img width="423" height="131" alt="image" src="https://github.com/user-attachments/assets/db8a8bda-cdaf-4dea-812f-1e312da908e2" />

  1. Extract and open data/core/config.yml

<img width="859" height="281" alt="image" src="https://github.com/user-attachments/assets/c8112ce1-5a1d-435f-953b-7eb4e711e042" />

Result: plaintext database password 

<img width="2534" height="1198" alt="image" src="https://github.com/user-attachments/assets/218ae917-868a-437e-98b0-6471b82c0b10" />

Impact

Full compromise of the REDAXO installation:

  • Database takeover
  • Password hash extraction → offline cracking → admin access
  • When combined with other vulnerabilities → RCE

CVSS 4.0 vector & score below.

Credits

Discovered by: Łukasz Rybak

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.3
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv, https://nvd.nist.gov/vuln/detail/CVE-2026-21857, https://github.com/redaxo/redaxo, https://github.com/redaxo/redaxo/releases/tag/5.20.2

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0.00044%
EPSS Percentile
0.13427%
Introduced Version
0
Fix Available
5.20.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading