Path Traversal Vulnerability in HKUDS LightRAG File Upload
CVE-2025-6773

4.8MEDIUM

Key Information:

Vendor: Hkuds
Status: Lightrag
Vendor: CVE Published:; 27 June 2025

What is CVE-2025-6773?

A path traversal vulnerability exists in HKUDS LightRAG versions up to 1.3.8 which affects the file upload functionality. Specifically, the vulnerability lies in the 'upload_to_input_dir' function within the 'document_routes.py' file. Maliciously crafted filenames can be exploited to traverse the directory structure, potentially allowing unauthorized access to the file system on the local server. To mitigate this issue, applying the available patch is strongly advised.

Affected Version(s)

LightRAG 1.3.0

LightRAG 1.3.1

LightRAG 1.3.2

References

https://vuldb.com/?id.314089

vdb-entrytechnical-description

https://vuldb.com/?ctiid.314089

signaturepermissions-required

https://vuldb.com/?submit.601276

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Jun 27, 2025

Credit

Hannibal0x (VulDB User)