A critical path traversal vulnerability in Dagu allows for arbitrary directory deletion, potentially leading to a system-wide denial of service on root or Docker deployments.

This flaw exists in the inline DAG execution endpoints where the dagRunId field is passed to filepath.Join without validation. An unauthenticated or unauthorized caller can use ".." segments to traverse the file system, causing a deferred os.RemoveAll call to delete unintended directories, such as /tmp.

A successful exploit can result in a total Denial of Service (DoS). In non-root deployments, the attacker can disrupt all concurrent Dagu processes by deleting their temporary files. In root or Docker environments, the deletion of the entire /tmp directory can crash the underlying operating system and all hosted services. The CVSS score of 9.1 reflects the critical nature of this availability impact and the lack of complex requirements for exploitation.

Immediate Action: Update Dagu to version 2.2.4 or later immediately to resolve the path validation flaw and prevent unauthorized directory deletion.

Proactive Monitoring: Review system logs for HTTP requests containing directory traversal sequences (e.g., "../") targeted at DAG execution endpoints.

Compensating Controls: Implement a Web Application Firewall (WAF) to filter and block requests containing path traversal characters in the dagRunId parameter.

Public Exploit Available: false

The severity of this vulnerability cannot be overstated, particularly for organizations running Dagu in containerized or root-privileged environments. The ability for an attacker to trigger a system-wide denial of service necessitates an immediate upgrade to version 2.2.4. Organizations should prioritize this patch in their next maintenance window to mitigate the risk of significant operational downtime.