skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
October 5, 2023

GHSL-2023-191: Arbitrary File Read in ShokoServer - CVE-2023-43662

Kevin Stubbings

Coordinated Disclosure Timeline


An arbitrary file read exists in the /api/Image/WithPath endpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.



Tested Version



/api/Image/WithPath arbitrary file read (GHSL-2023-191)

The /api/Image/WithPath endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter serverImagePath, which is not sanitized in any way before being passed to System.IO.File.OpenRead, which results in an arbitrary file read.

    public object GetImageUsingPath(string serverImagePath)
        if (!System.IO.File.Exists(serverImagePath))
            logger.Trace("Could not find AniDB_Cover image: {0}", serverImagePath);
            return NotFound();

        Response.ContentType = Mime.GetMimeMapping(serverImagePath);
        return System.IO.File.OpenRead(serverImagePath);


This issue may lead to Arbitrary File Read. The windows installer installs the ShokoServer as administrator, so any unauthenticated attacker may be able to access sensitive information and read files stored on the server.


In order to exploit this vulnerability on Windows, run curl http:/shokoserever.domain/api/Image/withpath/C:\Windows\secret.txt, where shokoserever.domain is your ShokoServer instance. This will return the contents of C:\Windows\secret.txt. Browsers will auto convert \ to / so use a tool like curl or a proxy to ensure the path is correct.

This vulnerability was found with the help of CodeQl’s Path Injection Query.



This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).


You can contact the GHSL team at, please include a reference to GHSL-2023-191 in any communication regarding this issue.