Path traversal via event id

Klaas van Schelven
Klaas van Schelven; 29 July - 3 min read

An issue was found in how ingestion paths were derived from incoming event IDs. Under certain conditions, this could lead to files being written outside the intended directory. The behavior has been corrected and patch releases are now available.

Read the full advisory here: Security Advisory.

Impact

  • event_id values were used in path construction without validation.
  • Malformed identifiers could trigger writes beyond the designated directory, potentially overwriting existing files.
  • In containerized setups, the effect is contained to the container; in others, it may affect host-level files accessible to the Bugsink process.

Recommendation

To ensure that event IDs are validated and normalized before use in file path construction, upgrade to the latest patch release of Bugsink, i.e. any of the following:

  • 1.7.4
  • 1.6.4
  • 1.5.5
  • 1.4.3

Timeline

Local (Amsterdam) time, 29 July 2025:

  • Review of Copilot PR #172 raised questions about UUID handling.
  • 14:18: still looking at copilot’s attempts
  • 14:32: successful test of crafted input containing ../ on local instance.
  • 14:50: patch enforcing UUID-only normalization applied.
  • 15:08 : other os.path.join usages and open(...) calls audited; additional validations added as defensive-in-depth measure.
  • 15:33: Start of security advisory process.
  • 15:54: Fix backported to branches 1.4.x, 1.5.x, 1.6.x, 1.7.x patch releases created.
  • 16:58: advisory published.
  • 17:03: release notes posted.
  • 17:05: announcement sent over Discord and (if applicable) email
  • 18:03: this blog post published

Learnings

This isn’t just something to fix and move on. What this means exactly for the Bugsink development process, I am still not sure (the ink is still wet on the advisory and the patch releases).

But it’s clear that we need to be more careful about how we handle user input, and also that any code that writes to the filesystem deserves extra scrutiny.