Plattform
nodejs
Komponente
fuxa-server
Behoben in
1.2.12
1.2.11
CVE-2026-25951 describes a Path Traversal vulnerability discovered in fuxa-server. This flaw allows an authenticated administrator to bypass directory traversal protections, potentially leading to Remote Code Execution (RCE). The vulnerability impacts versions of fuxa-server prior to 1.2.11 and is a patch bypass of previous sanitization attempts. A fix is available in version 1.2.11.
The impact of CVE-2026-25951 is significant due to the potential for Remote Code Execution. An attacker, having administrative privileges, can exploit this vulnerability by crafting malicious requests with nested traversal sequences (e.g., '....//'). This allows them to write arbitrary files to the server's filesystem, including sensitive directories like runtime/scripts. If the server reloads these malicious scripts, the attacker can execute arbitrary code with the privileges of the fuxa-server process. This could lead to complete system compromise, data exfiltration, or denial of service. The ability to write to the runtime/scripts directory is particularly concerning, as it directly impacts the server's core functionality.
While no public exploits have been released, the vulnerability's nature and potential for RCE suggest a medium probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability was publicly disclosed on 2026-02-10. The ease of exploitation, requiring only administrative privileges, increases the risk. The description indicates a patch bypass, suggesting attackers may be actively seeking ways to circumvent existing security measures.
Organizations relying on fuxa-server for critical services are at risk, particularly those with administrative interfaces exposed to the internet. Environments with legacy configurations or shared hosting setups where user privileges are not strictly controlled are especially vulnerable. Any deployment using older, unpatched versions of fuxa-server is potentially exposed.
• nodejs / server:
journalctl -u fuxa-server -f | grep -i "path traversal"• nodejs / server:
ps aux | grep fuxa-server | grep -i "....//"• generic web: Use curl to test for path traversal:
curl 'http://your-fuxa-server/path/....//sensitive_file.txt' • generic web: Grep access logs for requests containing suspicious path traversal sequences (e.g., '....//').
disclosure
Exploit-Status
EPSS
0.04% (10% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-25951 is to upgrade fuxa-server to version 1.2.11 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict administrative access to the fuxa-server to only trusted users. Implement strict input validation and sanitization on all user-supplied data, particularly file paths. Consider using a Web Application Firewall (WAF) with rules to detect and block malicious path traversal attempts. Monitor server logs for suspicious activity, such as attempts to access or modify files outside of expected directories. After upgrading, confirm the fix by attempting a path traversal attack and verifying that it is blocked.
Actualice FUXA a la versión 1.2.11 o posterior. Esta versión corrige la vulnerabilidad de path traversal que permite la ejecución remota de código. La actualización evitará que atacantes con privilegios administrativos exploten esta vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25951 is a Path Traversal vulnerability in fuxa-server allowing authenticated admins to bypass directory protections and potentially achieve Remote Code Execution.
You are affected if you are running a version of fuxa-server prior to 1.2.11 and have authenticated administrators with access to the server.
Upgrade fuxa-server to version 1.2.11 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting admin access and input validation.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the fuxa-server project's official website or security advisory page for the latest information and updates regarding CVE-2026-25951.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.