Auto_Bangumi is a RSS-based tool for automatically tracing and downloading anime. For version between 3.1.6-fix and 3.1.18, the posters method in /backend/src/main.py contains a directory traversal vulnerability, which allows attackers to read arbitrary files from the system.
Link to vulnerable code: https://github.com/EstrellaXD/Auto_Bangumi/blob/81b3a4aacd41e93032d809b27a69ebdd431a4ed0/backend/src/main.py#L41-L43
CVSS v4.0 Score: 8.7 / High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
curl -v --path-as-is http://localhost:10087/posters/../../../etc/passwd
- Do not expose Auto_Bangumi to the public network.
- Modify the code by replace the following vulnerable code:
@app.get("/posters/{path:path}", tags=["posters"])
def posters(path: str):
return FileResponse(f"data/posters/{path}")
With this secure alternative:
app.mount("/posters", StaticFiles(directory="data/posters"), name="posters")