A critical vulnerability has been identified in the PipesHub AI platform that allows an unauthenticated attacker on the network to write arbitrary files to the server. This flaw can be easily exploited to overwrite system files or upload malicious code, potentially leading to a complete compromise of the affected system. Organizations are urged to update to the latest version immediately to mitigate this significant risk.

The vulnerability is a combination of two weaknesses: a missing authentication check and a path traversal flaw. The API endpoint /api/v1/record/buffer/convert does not require any authentication, allowing any unauthenticated user to access it. An attacker can send a POST request to this endpoint with a file upload, where the filename is specially crafted to include path traversal sequences (e.g., ../../etc/passwd). The application fails to sanitize this filename and concatenates it with a temporary directory path, allowing the attacker to write the uploaded file to an arbitrary location on the filesystem with the permissions of the service account running the application. This can lead to remote file overwrite or the placement of a web shell, resulting in remote code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit could lead to a complete compromise of the server hosting the PipesHub platform, jeopardizing the confidentiality, integrity, and availability of the system and its data. Potential consequences include unauthorized access to sensitive enterprise data, deployment of ransomware, service disruption, and the use of the compromised server to launch further attacks against the internal network. The lack of authentication required for exploitation significantly increases the risk, as any attacker with network access to the platform can attempt to exploit it.

Immediate Action: The primary remediation is to upgrade all affected PipesHub instances to version 0.1.0-beta or later, where this vulnerability has been fixed. After patching, administrators should review access logs for any signs of exploitation attempts targeting the /api/v1/record/buffer/convert endpoint.

Proactive Monitoring:

• Review web server and application logs for any requests to the /api/v1/record/buffer/convert endpoint, particularly from unexpected or external IP addresses.
• Scrutinize logs for file upload attempts where the filename contains path traversal sequences like ../ or ..\.
• Implement File Integrity Monitoring (FIM) on sensitive system directories and the web application's root directory to detect unauthorized file creation or modification.

Compensating Controls: If immediate patching is not feasible, the following temporary measures can reduce risk:

• Implement a Web Application Firewall (WAF) rule to block all access to the /api/v1/record/buffer/convert endpoint.
• If the endpoint is required for business operations, configure WAF rules to inspect multipart/form-data requests and block any that contain path traversal sequences in the filename parameter.
• Restrict network access to the PipesHub application to only trusted IP addresses and internal networks.
• Ensure the PipesHub service account runs with the least possible privileges to limit the impact of an arbitrary file write.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the low complexity of exploitation, this vulnerability poses a severe and immediate threat to the organization. We strongly recommend that all affected PipesHub instances be patched to version 0.1.0-beta or later on an emergency basis. While this vulnerability is not currently listed on the CISA KEV catalog, its characteristics make it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls listed above, particularly blocking the vulnerable endpoint via a WAF, should be implemented without delay.