A critical path traversal vulnerability in DumbAssets allows unauthenticated attackers to delete essential system files, leading to a complete denial of service.

The POST /api/delete-file endpoint fails to validate the filesToDelete array, allowing an attacker to use ../ sequences to traverse outside the intended directory and delete critical files like server.js.

The CVSS score of 9.1 highlights the severity of this vulnerability. While it primarily results in a denial of service, the ability to delete arbitrary files can be used to disrupt critical business operations or potentially clear evidence of other malicious activities.

Immediate Action: Update to the latest version of DumbAssets and check the vendor advisory for specific patch details.

Proactive Monitoring: Monitor API access logs for suspicious input patterns, specifically repeated use of directory traversal sequences.

Compensating Controls: Implement strict path validation and ensure the application runs with the minimum file system permissions required.

Public Exploit Available: No