skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 12, 2024

GHSL-2023-277: Arbitrary File Deletion (AFD) in Owncast - CVE-2024-31450

GitHub Security Lab

Coordinated Disclosure Timeline


Owncast in version 0.1.2 allows remote attackers with administrator privileges to delete arbitrary files by making a malicious POST request to /api/admin/emoji/delete.



Tested Version



Arbitrary file deletion in emoji.go (GHSL-2023-277)

The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. As it can be seen in the following snippet, the parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete:


func DeleteCustomEmoji(w http.ResponseWriter, r *http.Request) {
	if !requirePOST(w, r) {

	type deleteEmoji struct {
		Name string `json:"name"`

	emoji := new(deleteEmoji)

	if err := json.NewDecoder(r.Body).Decode(emoji); err != nil {
		// --snip--

	// var emojiFileName = filepath.Base(emoji.Name)
	targetPath := filepath.Join(config.CustomEmojiPath, emoji.Name)

	if err := os.Remove(targetPath); err != nil {
		// --snip--
	// --snip--

By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory.


This issue may lead to arbitrary file deletion.


To exploit this vulnerability, an attacker may make the following POST request:

curl -X 'POST' \
    -H 'Authorization: Basic <ADMIN_CREDENTIALS>' \
    --data '{"name":"../../../../../../../tmp/test"}' \

Note that credentials for the admin user are needed.



This issue was discovered and reported by the GitHub CodeQL team member @atorralba (Tony Torralba). The vulnerability was found with the help of CodeQL’s path injection query.


You can contact the GHSL team at, please include a reference to GHSL-2023-277 in any communication regarding this issue.