Plattform
go
Komponente
github.com/alist-org/alist
Behoben in
3.57.1
3.57.0
CVE-2026-25161 describes a Path Traversal vulnerability affecting alist, a file sharing and storage application. This vulnerability allows attackers to potentially read arbitrary files on the server, leading to sensitive data exposure. The vulnerability impacts versions of alist prior to 3.57.0, and a patch has been released to address the issue.
The Path Traversal vulnerability in alist allows an attacker to bypass intended access restrictions and read files outside of the intended directory. This could include sensitive configuration files, source code, or even user data. Successful exploitation could lead to the disclosure of credentials, API keys, or other confidential information. The impact is amplified if the alist instance is used to store sensitive data or is integrated with other systems, as an attacker could potentially gain access to broader resources through this initial foothold. This vulnerability is similar in nature to other path traversal flaws, where attackers manipulate file paths to access unauthorized resources.
CVE-2026-25161 was publicly disclosed on 2026-02-05. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is pending evaluation. Public proof-of-concept exploits are not yet widely available, but the nature of Path Traversal vulnerabilities makes it likely that such exploits will emerge.
Organizations and individuals using alist for file sharing and storage are at risk, particularly those running older versions prior to 3.57.0. Shared hosting environments where multiple users share the same alist instance are especially vulnerable, as a compromise of one user's account could potentially lead to access to other users' data.
• linux / server:
find /opt/alist -name '*alist*' -type f -exec grep -i '../' {} + # Search for '..' in alist files• generic web:
curl -I 'http://your-alist-instance/../../../../etc/passwd' # Attempt to access sensitive files• linux / server:
journalctl -u alist -f | grep -i 'path traversal' # Monitor alist logs for path traversal attemptsdisclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25161 is to upgrade alist to version 3.57.0 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting file access permissions and implementing stricter input validation on file paths. Web application firewalls (WAFs) configured with rules to detect and block path traversal attempts can also provide an additional layer of defense. Monitor alist logs for suspicious file access patterns, particularly requests containing directory traversal sequences like ../.
Actualice Alist a la versión 3.57.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal. Descargue la última versión desde el sitio web oficial o el repositorio de AlistGo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25161 is a Path Traversal vulnerability in alist (github.com/alist-org/alist) allowing attackers to read arbitrary files on the server.
You are affected if you are running alist versions prior to 3.57.0. Upgrade to the latest version to mitigate the risk.
Upgrade alist to version 3.57.0 or later. Consider temporary workarounds like restricting file access and using a WAF if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature makes exploitation likely.
Refer to the alist GitHub repository and release notes for the official advisory and details on the fix: https://github.com/alist-org/alist
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.