Common Weakness Enumeration

CWE-24

Allowed

Path Traversal: '../filedir'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

187 vulnerabilities reference this CWE, most recent first.

GHSA-CVJ3-F4X8-HW28

Vulnerability from github – Published: 2024-01-11 18:31 – Updated: 2024-01-11 18:31
VLAI
Details

A vulnerability, which was classified as critical, has been found in DeShang DSMall up to 5.0.3. Affected by this issue is some unknown functionality of the file application/home/controller/MemberAuth.php. The manipulation of the argument file_name leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250436.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-11T18:15:44Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as critical, has been found in DeShang DSMall up to 5.0.3. Affected by this issue is some unknown functionality of the file application/home/controller/MemberAuth.php. The manipulation of the argument file_name leads to path traversal: \u0027../filedir\u0027. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250436.",
  "id": "GHSA-cvj3-f4x8-hw28",
  "modified": "2024-01-11T18:31:29Z",
  "published": "2024-01-11T18:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0416"
    },
    {
      "type": "WEB",
      "url": "https://note.zhaoj.in/share/DxR7FZsCKJQ1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.250436"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.250436"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F5GV-M2H2-FPC6

Vulnerability from github – Published: 2024-03-17 15:30 – Updated: 2024-03-17 15:30
VLAI
Details

A vulnerability was found in PandaXGO PandaX up to 20240310 and classified as critical. This issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argument filename leads to path traversal: '../filedir'. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257063.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-17T14:15:06Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in PandaXGO PandaX up to 20240310 and classified as critical. This issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argument filename leads to path traversal: \u0027../filedir\u0027. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257063.",
  "id": "GHSA-f5gv-m2h2-fpc6",
  "modified": "2024-03-17T15:30:30Z",
  "published": "2024-03-17T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PandaXGO/PandaX/issues/6"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.257063"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.257063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F93M-9MQ4-2FJJ

Vulnerability from github – Published: 2025-07-11 18:30 – Updated: 2025-11-02 03:30
VLAI
Details

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-45582"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T17:15:37Z",
    "severity": "MODERATE"
  },
  "details": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file\u0027s name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains \u0027..\u0027\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -\u003e ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).",
  "id": "GHSA-f93m-9mq4-2fjj",
  "modified": "2025-11-02T03:30:13Z",
  "published": "2025-07-11T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45582"
    },
    {
      "type": "WEB",
      "url": "https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://www.gnu.org/software/tar"
    },
    {
      "type": "WEB",
      "url": "https://www.gnu.org/software/tar/manual/html_node/Integrity.html"
    },
    {
      "type": "WEB",
      "url": "https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/11/01/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FGMH-2JHG-VQ8C

Vulnerability from github – Published: 2024-04-03 03:30 – Updated: 2024-04-03 03:30
VLAI
Details

A vulnerability was found in Panwei eoffice OA up to 9.5. It has been declared as critical. This vulnerability affects unknown code of the file /general/system/interface/theme_set/save_image.php of the component Backend. The manipulation of the argument image_type leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259072.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T03:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Panwei eoffice OA up to 9.5. It has been declared as critical. This vulnerability affects unknown code of the file /general/system/interface/theme_set/save_image.php of the component Backend. The manipulation of the argument image_type leads to path traversal: \u0027../filedir\u0027. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259072.",
  "id": "GHSA-fgmh-2jhg-vq8c",
  "modified": "2024-04-03T03:30:30Z",
  "published": "2024-04-03T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/garboa/cve_3/blob/main/upload.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.259072"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.259072"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.308750"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQV6-CRJX-GM34

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2025-04-04 15:30
VLAI
Details

A vulnerability classified as problematic has been found in DedeCMS 5.7.114. This affects an unknown part of the file /sys_verifies.php?action=view. The manipulation of the argument filename with the input ../../../../../etc/passwd leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263889 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:44:44Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in DedeCMS 5.7.114. This affects an unknown part of the file /sys_verifies.php?action=view. The manipulation of the argument filename with the input ../../../../../etc/passwd leads to path traversal: \u0027../filedir\u0027. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263889 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fqv6-crjx-gm34",
  "modified": "2025-04-04T15:30:53Z",
  "published": "2024-05-14T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4790"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gatsby2003/DedeCms/blob/main/Directory_traversal_arbitrary_file_read.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.263889"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.263889"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.329483"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FV2P-QJ5P-WQQ4

Vulnerability from github – Published: 2025-07-03 14:18 – Updated: 2025-07-03 14:18
VLAI
Summary
LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement
Details

Summary

Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

Details

The file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and replace the files owned by kuiper user on the filesystem. The vulnerable function is fileUploadHandler which is shown below:

https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359

Exploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by kuiper user:

kuiper binaries

PoC

  1. The files should be uploaded to /kuiper/data/uploads directory. So let's move to the /kuiper/data, examine the existing files and create an empty traversal-poc file owned by kuiper:

Preparation

  1. Now, we can go to Services > Configuration > File Management and try to upload file with name ../test:

GUI

Request in Burp

In the response we can see the path of the uploaded file and can assume that the traversal worked.

  1. Now we can try to change the traversal-poc file that we know exists on the server. It can be made with the following request:

traversal-poc change

  1. Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:

Changed files

Impact

  • Possibility to upload files to external directories;
  • Possibility to rewrite any file owned by kuiper user on the filesystem.

Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/ekuiper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.14.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-03T14:18:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nPath traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.\n\n### Details\nThe file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and **replace** the files owned by _kuiper_ user on the filesystem. The vulnerable function is `fileUploadHandler` which is shown below:\n\nhttps://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359\n\nExploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by _kuiper_ user:\n\n![kuiper binaries](https://github.com/user-attachments/assets/58cf0dc9-20aa-4976-b199-d052a8f5a676)\n\n\n### PoC\n0.  The files should be uploaded to `/kuiper/data/uploads` directory. So let\u0027s move to the `/kuiper/data`, examine the existing files and create an empty `traversal-poc` file owned by  _kuiper_:\n\n![Preparation](https://github.com/user-attachments/assets/c1010cfe-ca3e-481d-b895-820a96f2af60)\n\n1. Now, we can go to _Services \u003e Configuration \u003e File Management_ and try to upload file with name `../test`:\n\n![GUI](https://github.com/user-attachments/assets/31402874-d8a1-450b-91d6-025533c7be33)\n\n![Request in Burp](https://github.com/user-attachments/assets/a4b01f57-5ce0-4791-8a6e-69eb47bca40b)\n\nIn the response we can see the path of the uploaded file and can assume that the traversal worked.\n\n2. Now we can try to change the `traversal-poc` file that we know exists on the server. It can be made with the following request:\n\n![traversal-poc change](https://github.com/user-attachments/assets/164a7088-9152-4a6d-bef4-de8b4637ed51)\n\n3. Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:\n\n![Changed files](https://github.com/user-attachments/assets/1be0bb36-66b7-4552-9b5d-6298c15d59bb)\n\n### Impact\n- Possibility to upload files to external directories;\n- Possibility to rewrite any file owned by _kuiper_ user on the filesystem.\n\nReported by Alexey Kosmachev, Lead Pentester from Bi.Zone",
  "id": "GHSA-fv2p-qj5p-wqq4",
  "modified": "2025-07-03T14:18:04Z",
  "published": "2025-07-03T14:18:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/security/advisories/GHSA-fv2p-qj5p-wqq4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lf-edge/ekuiper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/ekuiper/blob/1e6b6b6601445eb05316532f5fbef7f0a863ecfe/internal/server/rest.go#L329-L359"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LF Edge eKuiper vulnerable to File Path Traversal leading to file replacement"
}

GHSA-G2H5-CVVR-7GMW

Vulnerability from github – Published: 2025-09-17 19:03 – Updated: 2026-01-14 15:51
VLAI
Summary
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
Details

Summary

A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of ~/.esmd/storage/modules/transform).

Severity: Medium

Component / Endpoint:

POST /transform — handling of X-Zone-Id header

The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411

Impact: Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.


Proof of Concept (POC)

Request (attacker-supplied X-Zone-Id contains path traversal):

POST /transform HTTP/1.1
Host: localhost:8888
User-Agent: Den/8.7.1
Accept: */*
Connection: keep-alive
Referer: http://localhost:9999/
Content-Type: application/json
X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/
Content-Length: 325

{
  "filename": "example2.js",
  "lang": "js",
  "code": "console.log('hello');",
  "importMap": {
    "imports": {
      "react": "https://esm.sh/react",
      "react-dom": "https://esm.sh/react-dom"
    }
  },
  "jsxImportSource": "react",
  "target": "es2022",
  "sourceMap": "external",
  "minify": true
}

Screenshot 2025-09-16 at 21 40 57

Observed result: file written to ~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js instead of the intended ~/.esmd/storage/modules/transform/.

This can be trigger with another path traversal request below

GET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1
Host: localhost:8888
User-Agent: localhost
Accept: */*
Connection: keep-alive
X-Zone-Id: ../
Referer: http://localhost:9999/

Screenshot 2025-09-16 at 21 37 07


Remediation

Simply remove any .. in the X-Zone-Id header before actually process the file.

Credits

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 136"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/esm-dev/esm.sh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "136.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-17T19:03:05Z",
    "nvd_published_at": "2025-09-17T18:15:53Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application\u2019s storage base directory. As a result, supplying `../` sequences in `X-Zone-Id` causes files to be written to arbitrary directories (example observed: `~/.esmd/modules/transform/\u003cid\u003e/` instead of `~/.esmd/storage/modules/transform`).\n\n**Severity:** Medium\n\n**Component / Endpoint:** \n\n`POST /transform` \u2014 handling of `X-Zone-Id` header\n\nThe vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411 \n\n**Impact:** Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application files, or facilitating further path-traversal attacks.\n\n---\n\n## Proof of Concept (POC)\n\nRequest (attacker-supplied `X-Zone-Id` contains path traversal):\n\n```\nPOST /transform HTTP/1.1\nHost: localhost:8888\nUser-Agent: Den/8.7.1\nAccept: */*\nConnection: keep-alive\nReferer: http://localhost:9999/\nContent-Type: application/json\nX-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/\nContent-Length: 325\n\n{\n  \"filename\": \"example2.js\",\n  \"lang\": \"js\",\n  \"code\": \"console.log(\u0027hello\u0027);\",\n  \"importMap\": {\n    \"imports\": {\n      \"react\": \"https://esm.sh/react\",\n      \"react-dom\": \"https://esm.sh/react-dom\"\n    }\n  },\n  \"jsxImportSource\": \"react\",\n  \"target\": \"es2022\",\n  \"sourceMap\": \"external\",\n  \"minify\": true\n}\n```\n\u003cimg width=\"2496\" height=\"1214\" alt=\"Screenshot 2025-09-16 at 21 40 57\" src=\"https://github.com/user-attachments/assets/f878c3f0-5d7d-410c-97ac-20116f5496db\" /\u003e\n\n\nObserved result: file written to `~/.esmd/modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/example2.js` instead of the intended `~/.esmd/storage/modules/transform/`.\n\nThis can be trigger with another path traversal request below\n\n```\nGET /+c245626ef6ca0fd9ee37759c5fac606c6ec99daa./../../../esm.db?.css HTTP/1.1\nHost: localhost:8888\nUser-Agent: localhost\nAccept: */*\nConnection: keep-alive\nX-Zone-Id: ../\nReferer: http://localhost:9999/\n\n```\n\u003cimg width=\"2516\" height=\"710\" alt=\"Screenshot 2025-09-16 at 21 37 07\" src=\"https://github.com/user-attachments/assets/1fcfbed3-c1d2-4093-82d8-4afda225c685\" /\u003e\n\n---\n\n## Remediation\n\nSimply remove any .. in the `X-Zone-Id` header before actually process the file.\n\n## Credits\n\n- [Ai Ho (Jessie)](https://github.com/j3ssie)\n- [CL Yang](https://github.com/A11riseforme)",
  "id": "GHSA-g2h5-cvvr-7gmw",
  "modified": "2026-01-14T15:51:07Z",
  "published": "2025-09-17T19:03:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-g2h5-cvvr-7gmw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59342"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/commit/833a29f42aeb0acbd7089a71be11dd0a292d3151"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/esm-dev/esm.sh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3967"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header"
}

GHSA-G5PM-7QX6-F2HG

Vulnerability from github – Published: 2025-12-19 03:31 – Updated: 2025-12-19 18:31
VLAI
Details

A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-19T02:16:09Z",
    "severity": "MODERATE"
  },
  "details": "A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences.",
  "id": "GHSA-g5pm-7qx6-f2hg",
  "modified": "2025-12-19T18:31:17Z",
  "published": "2025-12-19T03:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67845"
    },
    {
      "type": "WEB",
      "url": "https://heartbreak.ing"
    },
    {
      "type": "WEB",
      "url": "https://kibty.town/blog/mintlify"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=46317098"
    },
    {
      "type": "WEB",
      "url": "https://www.mintlify.com/blog/working-with-security-researchers-november-2025"
    },
    {
      "type": "WEB",
      "url": "https://www.mintlify.com/docs/changelog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G8M5-CCPX-MH32

Vulnerability from github – Published: 2023-12-28 21:30 – Updated: 2023-12-28 21:30
VLAI
Details

A vulnerability was found in SourceCodester Medicine Tracking System 1.0. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument page leads to path traversal: '../filedir'. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249137 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-24"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-28T20:16:07Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in SourceCodester Medicine Tracking System 1.0. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument page leads to path traversal: \u0027../filedir\u0027. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249137 was assigned to this vulnerability.",
  "id": "GHSA-g8m5-ccpx-mh32",
  "modified": "2023-12-28T21:30:38Z",
  "published": "2023-12-28T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7134"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@2839549219ljk/medicine-tracking-system-rce-vulnerability-1f009165b915"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.249137"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.249137"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GCMJ-C9GG-9VH6

Vulnerability from github – Published: 2026-05-15 16:27 – Updated: 2026-05-19 16:08
VLAI
Summary
@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files
Details

Summary

A path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.

Details

The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file.

One affected location is embedded_file.rs, which generates a file name from a string previously parsed from the .one file, https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16

Above, determine_filename passes through the provided file name.

Similar logic has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.

PoC

Screencast from 2025-11-20 13-50-21.webm

  1. Import poc_v2.zip.
  2. Open the application's profile directory, then open log.txt.
  3. Observe that log.txt has been overwritten non-log-file content (a WAV file).

Tested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).

Note: The PoC ZIP file overwrites Joplin's log.txt. It is also possible to craft a file that overwrites more sensitive system files (e.g. .bashrc on Linux).

Impact

This is a path traversal vulnerability that impacts all versions of Joplin (<= v3.5.6) that include a OneNote importer. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.

Patched in

  • Joplin: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c
  • one2html: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@joplin/onenote-converter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-24"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-15T16:27:11Z",
    "nvd_published_at": "2026-05-18T21:16:39Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.\n\n### Details\nThe OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it\u0027s possible for an attacker to create a malicious `.one` file that includes file names containing `../../`, that are then interpreted as part of the target path when extracting attachments from the `.one` file.\n\nOne affected location is `embedded_file.rs`, which generates a file name from a string previously parsed from the `.one` file,\nhttps://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16\n\nAbove, [`determine_filename`](https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L56-L64) passes through the provided file name.\n\n[Similar logic](https://github.com/laurent22/joplin/blob/4d7fa5972fe2986eae14cbf3a2801835cbe1384e/packages/onenote-converter/src/page/embedded_file.rs#L14) has been present since 4d7fa5972fe2986eae14cbf3a2801835cbe1384e (Joplin 3.2.2), when the OneNote importer was first introduced.\n\n### PoC\n\n[Screencast from 2025-11-20 13-50-21.webm](https://github.com/user-attachments/assets/a9d6cc64-ec11-4f33-9f92-32efe0eaab23)\n\n\n1. Import [poc_v2.zip](https://github.com/user-attachments/files/23664109/poc_v2.zip).\n2. Open the application\u0027s profile directory, then open `log.txt`.\n3. Observe that `log.txt` has been overwritten non-log-file content (a WAV file).\n\nTested on Fedora Linux 43 with Joplin 3.4.12 (prod, linux) and Joplin 3.5.6 (dev, linux).\n\n**Note**: The PoC ZIP file overwrites Joplin\u0027s `log.txt`. It is also possible to craft a file that overwrites more sensitive system files (e.g. `.bashrc` on Linux).\n\n### Impact\nThis is a path traversal vulnerability that impacts **all versions of Joplin (\u003c= v3.5.6) that include a OneNote importer**. Importing a crafted OneNote export file allows an attacker to overwrite arbitrary files, potentially leading to remote code execution.\n\n### Patched in\n\n- **Joplin**: https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c\n- **one2html**: https://github.com/msiemens/one2html/commit/948d65cdca5bb35d776b8b235ec05ff15249fd41",
  "id": "GHSA-gcmj-c9gg-9vh6",
  "modified": "2026-05-19T16:08:55Z",
  "published": "2026-05-15T16:27:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/security/advisories/GHSA-gcmj-c9gg-9vh6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22810"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/pull/13736"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/commit/791668455e1aae50501ff57ea4783b3fba9d377c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/laurent22/joplin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/blob/af5108d70233b1db9410346958c1587cf7c1b16d/packages/onenote-converter/renderer/src/page/embedded_file.rs#L13-L16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laurent22/joplin/releases/tag/v3.5.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.