Nixpkgs security tracker

Untriaged

Permalink CVE-2026-30942

created 1 month ago

Flare has a Path Traversal in /api/avatars/[filename]

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows any logged-in user to read arbitrary files from within the application container. The filename URL parameter is passed to path.join() without sanitization, and getFileStream() performs no path validation, enabling %2F-encoded ../ sequences to escape the uploads/avatars/ directory and read any file accessible to the nextjs process under /app/. Authentication is enforced by Next.js middleware. However, on instances with open registration enabled (the default), any attacker can self-register and immediately exploit this. This vulnerability is fixed in 1.7.3.

References

https://github.com/FlintSH/Flare/security/advisories/GHSA-h639-p7m9-mpgp x_refsource_CONFIRM
https://github.com/FlintSH/Flare/commit/cd894cc480619aef958be5de72b1445222fd8d36 x_refsource_MISC
https://github.com/FlintSH/Flare/releases/tag/v1.7.3 x_refsource_MISC

Affected products

Flare

==< 1.7.3

Matching in nixpkgs

pkgs.flare

Fantasy action RPG using the FLARE engine

nixos-unstable 1.14
- nixpkgs-unstable 1.14
- nixos-unstable-small 1.14
nixos-25.11 1.14
- nixos-25.11-small 1.14
- nixpkgs-25.11-darwin 1.14

pkgs.flarectl

CLI application for interacting with a Cloudflare account

nixos-unstable 0.116.0
- nixpkgs-unstable 0.116.0
- nixos-unstable-small 0.116.0
nixos-25.11 0.116.0
- nixos-25.11-small 0.116.0
- nixpkgs-25.11-darwin 0.116.0

pkgs.photoflare

Cross-platform image editor with a powerful features and a very friendly graphical user interface

nixos-unstable 1.6.13
- nixpkgs-unstable 1.6.13
- nixos-unstable-small 1.6.13
nixos-25.11 1.6.13
- nixos-25.11-small 1.6.13
- nixpkgs-25.11-darwin 1.6.13

pkgs.cloudflared

Cloudflare Tunnel daemon, Cloudflare Access toolkit, and DNS-over-HTTPS client

nixos-unstable 2026.2.0
- nixpkgs-unstable 2026.2.0
- nixos-unstable-small 2026.2.0
nixos-25.11 2025.11.1
- nixos-25.11-small 2025.11.1
- nixpkgs-25.11-darwin 2025.11.1

pkgs.flare-floss

Automatically extract obfuscated strings from malware

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1
nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.gotlsaflare

Update TLSA DANE records on cloudflare from x509 certificates

nixos-unstable 2.8.2
- nixpkgs-unstable 2.8.2
- nixos-unstable-small 2.8.2
nixos-25.11 2.8.0
- nixos-25.11-small 2.8.0
- nixpkgs-25.11-darwin 2.8.0

pkgs.flare-signal

Unofficial Signal GTK client

nixos-unstable 0.18.4
- nixpkgs-unstable 0.18.4
- nixos-unstable-small 0.18.4
nixos-25.11 0.18.4
- nixos-25.11-small 0.18.4
- nixpkgs-25.11-darwin 0.18.4

pkgs.flaresolverr

Proxy server to bypass Cloudflare protection

nixos-unstable 3.4.6
- nixpkgs-unstable 3.4.6
- nixos-unstable-small 3.4.6
nixos-25.11 3.4.6
- nixos-25.11-small 3.4.6
- nixpkgs-25.11-darwin 3.4.6

pkgs.cloudflare-cli

CLI for interacting with Cloudflare

nixos-unstable 5.1.2
- nixpkgs-unstable 5.1.2
- nixos-unstable-small 5.1.2
nixos-25.11 5.1.0
- nixos-25.11-small 5.1.0
- nixpkgs-25.11-darwin 5.1.0

pkgs.cloudflare-ddns

Dynamic DNS (DDNS) client for Cloudflare

nixos-unstable 1.15.1
- nixpkgs-unstable 1.15.1
- nixos-unstable-small 1.15.1
nixos-25.11 1.15.1
- nixos-25.11-small 1.15.1
- nixpkgs-25.11-darwin 1.15.1

pkgs.cloudflare-warp

Replaces the connection between your device and the Internet with a modern, optimized, protocol

nixos-unstable 2026.1.150.0
- nixpkgs-unstable 2026.1.150.0
- nixos-unstable-small 2026.1.150.0
nixos-25.11 2025.10.186.0
- nixos-25.11-small 2025.10.186.0
- nixpkgs-25.11-darwin 2025.10.186.0