Red Teaming

DocMost v0.21.0: CVE-2025-57231 Unauthenticated File Path Traversal

January 15, 2026

An unauthenticated File Path Traversal vulnerability was detected in the DocMost docker image v0.21.0. At the time of this discovery hundreds of exposed systems may be affected.
As observed in the image below from Shodan, querying for the DocMost favicon hash returned almost a thousand results:

Software Exposure Surface
Shodan: http.favicon.hash:257668387
965 Results on 28 July 2025

DocMost v0.21.0 CVE-2025-57231 Unauthenticated File Path Traversal

The output above shows that Germany, United States, China, Russia Federation and France are the most affected countries, representing over 50% of the total results.
This vulnerability can be easily exploited, since the affected endpoint is exposed publicly and allows a malicious actor to read system files and even read the /proc/self/environ, allowing to retrieve the secret JWT token and making it possible to forge authentication cookies.

The vulnerability was most likely exploitable in the following versions:
– From v0.2.1 – 1 July 2024
– To v0.21.0
– v0.22.0 patched on 29 July 2025 on version

Unauthenticated File Path Traversal
CVE: CVE-2025-57231
Type: Security Misconfiguration / Sensitive Data Exposure
Privileges required: Unauthenticated
CVSS: 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Software version: v0.21.0
Tested versions: v0.21.0, versions from v0.2.1 to v0.21.0 might be affected
Vendor: DocMost

During this analysis, one of the main concerns was the possible arbitrary access of private files without any consent. After testing and investigating several endpoints it was discovered that the content of the avatar endpoint was visible even without authentication. This led to a code analysis where it was found that a function wasn’t reading the file in a proper and sanitized manner.

DocMost v0.21.0 CVE-2025-57231 Unauthenticated File Path Traversal 2

Having a hint of a possible File Path Traversal vulnerability we started crafting the payload to retrieve the content of /etc/passwd. Since ‘/’ (slashes) are not handled in filenames, the first method was to URL encode the full path of

../../../../../../../../../../../../../../../../../../etc/passwd

resulting on the following encoding:

%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

Then the next step was to replace it for the filename:

DocMost v0.21.0 CVE-2025-57231 Unauthenticated File Path Traversal 4

On our first try, we had successfully read the /etc/passwd. The next step was to craft the simplest payload possible and access the same file without the Cookie header on the GET Request. We ended up just needing to URL encode the ‘/’ meaning ../../../../../etc/passwd had to be encoded to ..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

DocMost v0.21.0 CVE-2025-57231 Unauthenticated File Path Traversal 5

As the image above shows, we successfully read the /etc/passwd file without any authentication – however, it must be clarified that the avatar endpoint does not require JWT authentication by design.
The same procedure can be done for the /proc/self/environ file, meaning that a malicious actor can forge JWT tokens to escalate privileges:

DocMost v0.21.0 CVE-2025-57231 Unauthenticated File Path Traversal 6

DocMost v0.21.0 CVE-2025-57231 Unauthenticated File Path Traversal 7

This online JWT encoder detects a valid secret.

Conclusion
The examples provided and the impacts discussed in this article primarily highlight concerns related to public exposure. We must emphasize the importance of using a Web Application Firewall today, since many vulnerabilities like this are being discovered often. While a WAF should not be considered a last-resort measure, it adds an extra layer of security by blocking this type of malicious payload and serves as a valuable complementary security solution.
The Docker Hub shows that there are over a million docker image downloads of DocMost. This suggests that many organizations may face potential risks within their internal networks.
Although the issue was quickly addressed, every user or organization that has deployed this tool should evaluate if the patch has been applied. Given that it’s a self-hosted platform, assessing external exposure is crucial.

Timeline
28 July 2025 – CVE discovered and reported to MITRE
28 July 2025 – Vulnerability reported to the vendor.
29 July 2025 – Vendor applied the fix.
4 August 2025 – Vendor requested a 6 month disclosure.
4 August 2025 – Requested to MITRE a CVE status update.
7 August 2025 – Vendor confirmed that there are around 6000 self-hosted active instances.
17 September 2025 – CVE-2025-57231 assigned.
January 2026 – Article published with DocMost’s authorization

Author:
Diogo Teixeira