> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
kkFileView is a popular open-source project that allows users to preview various file formats directly in the browser.
In April 2024, a critical remote code execution (RCE) vulnerability was publicly disclosed. The flaw allows attackers to upload specially crafted ZIP files that overwrite system files and execute arbitrary code on the server.
Vulnerability Overview
What Happened?
The issue was introduced in version 4.2.0, when the file upload logic was changed to extract both file names and directory paths from ZIP files. This opened the door to a classic Zip Slip vulnerability.
By uploading a malicious ZIP archive containing files with directory traversal sequences (../../), an attacker can overwrite sensitive files on the server and trigger code execution.
Impact
If exploited successfully, this vulnerability could:
- Allow full remote code execution (RCE)
- Lead to complete server takeover
- Leak sensitive files or credentials
- Turn your server into a launchpad for further attacks
Affected Versions
The following versions are confirmed to be vulnerable:
-
kkFileView v4.2.0throughv4.4.0-beta
β οΈ At the time of writing, no official release has patched the issue. A fix is available on the development branch and will be merged in the next official release.
Workaround & Temporary Fixes
If you're using kkFileView in production, hereβs what you can do immediately:
-
Disable File Uploads:
Add the following configuration to
application.properties:
file.upload.disable=true
This will disable the upload feature on the homepage.
-
Restrict Network Access:
- Avoid exposing the application to the public internet.
- Use firewall rules or ACLs to allow access only from trusted IP addresses.
-
Monitor for Malicious Uploads:
- Check for unusual
.zipfiles or unexpected files in your server directories.
- Check for unusual
Patch Status
The issue was fixed in this GitHub commit, but the patched code is currently only in the development branch.
For now, users are advised to:
- Pull the latest code from the
devbranch - Follow the project for updates on the next official release
- Stay alert for security bulletins
Reproduction
The vulnerability can be reproduced by uploading a ZIP file with a payload like:
../tomcat/webapps/ROOT/shell.jsp
If extracted without sanitization, this will place a web shell directly into your server's public directory.
Detection Support
| Platform | Detection Support |
|---|---|
| Yuntu | Fingerprint + PoC detection supported |
| Dongjian | Scheduled support by April 18, 2024 |
| SafeLine | Virtual patching and detection supported by April 17 |
| Quanshi | Detection supported by default |
Timeline
- April 16, 2024 β Vulnerability intelligence surfaced
- April 17, 2024 β Official fix committed to development branch
- April 17, 2024 β Security advisory published by Chaitin Tech
References
Join the SafeLine Community
Final Thoughts
If you're running kkFileView in any public or internal environment, take action now. The exploit is trivial, the impact is high, and a proper patch is still pending.
Disable uploads, restrict access, and monitor logs while waiting for the next stable release.
Stay safe out there.
Top comments (1)
Fly through neon tunnels, dodge brutal obstacles, and ride your wave to victory in the ultra-tough world of Space Waves.