Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-558G-H753-6M33

Vulnerability from github – Published: 2026-04-16 20:41 – Updated: 2026-06-08 19:54
VLAI
Summary
Weblate: Remote code execution during backup restoration
Details

Impact

The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.

Patches

  • https://github.com/WeblateOrg/weblate/pull/18549

Workarounds

The project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.

References

This issue was reported by ggamno via HackerOne.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Weblate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23",
      "CWE-434",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T20:41:38Z",
    "nvd_published_at": "2026-04-15T19:16:35Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe project backup didn\u0027t filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/18549\n\n### Workarounds\nThe project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.\n\n### References\nThis issue was reported by [ggamno](https://hackerone.com/ggamno) via HackerOne.",
  "id": "GHSA-558g-h753-6m33",
  "modified": "2026-06-08T19:54:20Z",
  "published": "2026-04-16T20:41:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33435"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/pull/18549"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WeblateOrg/weblate"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2026-154.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weblate: Remote code execution during backup restoration"
}

GHSA-55G2-VM3Q-7W52

Vulnerability from github – Published: 2023-11-15 00:31 – Updated: 2024-12-06 18:06
VLAI
Summary
Ansible galaxy-importer Path Traversal vulnerability
Details

A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "galaxy-importer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.4.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-16T20:16:05Z",
    "nvd_published_at": "2023-11-14T23:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.",
  "id": "GHSA-55g2-vm3q-7w52",
  "modified": "2024-12-06T18:06:33Z",
  "published": "2023-11-15T00:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5189"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7773"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1536"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2010"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-5189"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/galaxy-importer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/galaxy-importer/blob/2c5c7c05fdfb0835878234b36de32902c703616d/galaxy_importer/collection.py#L160-L165"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ansible galaxy-importer Path Traversal vulnerability"
}

GHSA-564Q-HF94-RX9Q

Vulnerability from github – Published: 2024-10-01 12:30 – Updated: 2024-10-01 12:30
VLAI
Details

An incorrect limitation of a path to a restricted directory (path traversal) has been detected in Pluck CMS, affecting version 4.7.18. An unauthenticated attacker could extract sensitive information from the server via the absolute path of a file located in the same directory or subdirectory as the module, but not from recursive directories.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-01T12:15:03Z",
    "severity": "MODERATE"
  },
  "details": "An incorrect limitation of a path to a restricted directory (path traversal) has been detected in Pluck CMS, affecting version 4.7.18. An unauthenticated attacker could extract sensitive information from the server via the absolute path of a file located in the same directory or subdirectory as the module, but not from recursive directories.",
  "id": "GHSA-564q-hf94-rx9q",
  "modified": "2024-10-01T12:30:30Z",
  "published": "2024-10-01T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9405"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-limitation-path-restricted-directory-pluck-cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56FC-7XXQ-MCFP

Vulnerability from github – Published: 2025-10-17 06:31 – Updated: 2025-10-17 06:31
VLAI
Details

Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11898"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-17T04:16:03Z",
    "severity": "HIGH"
  },
  "details": "Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files.",
  "id": "GHSA-56fc-7xxq-mcfp",
  "modified": "2025-10-17T06:31:09Z",
  "published": "2025-10-17T06:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11898"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10439-0bd15-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10438-1173e-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-56QR-P95W-94VH

Vulnerability from github – Published: 2026-07-07 06:31 – Updated: 2026-07-07 06:31
VLAI
Details

Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files.

This issue affects MicroRealEstate: through 1.0.0-alpha3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T06:16:23Z",
    "severity": "HIGH"
  },
  "details": "Relative path traversal vulnerability in MicroRealEstate file upload functionality allows attackers to potentially overwrite system files.\n\nThis issue affects MicroRealEstate: through 1.0.0-alpha3.",
  "id": "GHSA-56qr-p95w-94vh",
  "modified": "2026-07-07T06:31:24Z",
  "published": "2026-07-07T06:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57871"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microrealestate/microrealestate"
    },
    {
      "type": "WEB",
      "url": "https://www.themissinglink.com.au/security-advisories/cve-2026-57871"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5972-7QFM-HJ76

Vulnerability from github – Published: 2025-08-16 09:31 – Updated: 2025-08-16 09:31
VLAI
Details

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-16T08:15:27Z",
    "severity": "MODERATE"
  },
  "details": "The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin\u0027s uploads folder.",
  "id": "GHSA-5972-7qfm-hj76",
  "modified": "2025-08-16T09:31:32Z",
  "published": "2025-08-16T09:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8464"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L1018"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L1050"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.0/inc/dnd-upload-cf7.php#L77"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3344512%40drag-and-drop-multiple-file-upload-contact-form-7\u0026new=3344512%40drag-and-drop-multiple-file-upload-contact-form-7\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/17f7be7f-f675-4c9f-a7b3-525a3c3c5775?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CM2-9H8C-RVFX

Vulnerability from github – Published: 2022-07-21 21:39 – Updated: 2022-08-10 23:48
VLAI
Summary
TZInfo relative path traversal vulnerability allows loading of arbitrary files
Details

Impact

Affected versions

  • 0.3.60 and earlier.
  • 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).

Vulnerability

With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process.

For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb:

TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")

The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.

TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.

This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.

Versions 2.0.0 and later are not vulnerable.

Patches

Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers (commit 9eddbb5c0e682736f61d0dd803b6031a5db9eadf for 0.3.x and commit 9905ca93abf7bf3e387bd592406e403cd18334c7 for 1.2.x).

Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. For example if /tmp/upload was in the load path, then TZInfo::Timezone.get('foo') could load a file with path /tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that untrusted files are not placed in a directory on the load path.

Workarounds

As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

For more information

If you have any questions or comments about this advisory: - Open an issue in the tzinfo repository.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "tzinfo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.61"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "tzinfo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T21:39:29Z",
    "nvd_published_at": "2022-07-22T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n#### Affected versions\n\n  - 0.3.60 and earlier.\n  - 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).\n\n#### Vulnerability \n\nWith the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process.\n\nFor example, with version 1.2.9, you can run the following to load a file with path `/tmp/payload.rb`:\n\n```ruby\nTZInfo::Timezone.get(\"foo\\n/../../../../../../../../../../../../../../../../tmp/payload\")\n```\n\nThe exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.\n\nTZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path. \n\nThis could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.\n\nVersions 2.0.0 and later are not vulnerable.\n\n### Patches\n\nVersions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers (commit 9eddbb5c0e682736f61d0dd803b6031a5db9eadf for 0.3.x and commit 9905ca93abf7bf3e387bd592406e403cd18334c7 for 1.2.x).\n\nNote that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. For example if `/tmp/upload` was in the load path, then `TZInfo::Timezone.get(\u0027foo\u0027)` could load a file with path `/tmp/upload/tzinfo/definition/foo.rb`. Applications should ensure that untrusted files are not placed in a directory on the load path.\n\n### Workarounds\n\nAs a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\\A[A-Za-z0-9+\\-_]+(?:\\/[A-Za-z0-9+\\-_]+)*\\z`.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n  - Open an issue in [the tzinfo repository](https://github.com/tzinfo/tzinfo).",
  "id": "GHSA-5cm2-9h8c-rvfx",
  "modified": "2022-08-10T23:48:58Z",
  "published": "2022-07-21T21:39:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31163"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tzinfo/tzinfo/commit/9eddbb5c0e682736f61d0dd803b6031a5db9eadf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/tzinfo/CVE-2022-31163.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tzinfo/tzinfo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tzinfo/tzinfo/releases/tag/v1.2.10"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00009.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TZInfo relative path traversal vulnerability allows loading of arbitrary files"
}

GHSA-5FX4-FFFC-MC96

Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-04-25 15:31
VLAI
Details

In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-25T15:15:40Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible",
  "id": "GHSA-5fx4-fffc-mc96",
  "modified": "2025-04-25T15:31:24Z",
  "published": "2025-04-25T15:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46433"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5G94-C2WX-8PXW

Vulnerability from github – Published: 2026-02-03 23:57 – Updated: 2026-02-04 21:55
VLAI
Summary
apko has a path traversal in apko dirFS which allows filesystem writes outside base
Details

A Path Traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory.

Fix: Fixed by d8b7887. Merged into release.

Acknowledgements

apko thanks Oleh Konko from 1seal for discovering and reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "chainguard.dev/apko"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.8"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25121"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-03T23:57:48Z",
    "nvd_published_at": "2026-02-04T19:16:14Z",
    "severity": "HIGH"
  },
  "details": "A Path Traversal vulnerability was discovered in apko\u0027s dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory.\n\n**Fix:** Fixed by [d8b7887](https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14). Merged into release. \n\n**Acknowledgements**                                                                                                                                                                        \n                                                                                                                                                                                              \napko thanks Oleh Konko from [1seal](https://1seal.org/) for discovering and reporting this issue.",
  "id": "GHSA-5g94-c2wx-8pxw",
  "modified": "2026-02-04T21:55:44Z",
  "published": "2026-02-03T23:57:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25121"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chainguard-dev/apko"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "apko has a path traversal in apko dirFS which allows filesystem writes outside base"
}

GHSA-5H5V-HW44-F6GG

Vulnerability from github – Published: 2024-05-14 20:13 – Updated: 2024-05-14 20:13
VLAI
Summary
Oceanic allows unsanitized user input to lead to path traversal in URLs
Details

Impact

Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.

Workarounds

  • Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
  • Encoding input with encodeURIComponent before providing it to the library.

References

OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "oceanic.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T20:13:58Z",
    "nvd_published_at": "2024-05-14T16:17:26Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nInput to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban.\n\n### Workarounds\n* Sanitizing user input, ensuring strings are valid for the purpose they are being used for.\n* Encoding input with `encodeURIComponent` before providing it to the library.\n\n### References\nOceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe",
  "id": "GHSA-5h5v-hw44-f6gg",
  "modified": "2024-05-14T20:13:58Z",
  "published": "2024-05-14T20:13:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OceanicJS/Oceanic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Oceanic allows unsanitized user input to lead to path traversal in URLs"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.