Common Weakness Enumeration

CWE-29

Allowed

Path Traversal: '\..\filename'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

127 vulnerabilities reference this CWE, most recent first.

GHSA-482R-2HV2-P3X7

Vulnerability from github – Published: 2024-05-16 09:33 – Updated: 2024-05-16 09:33
VLAI
Details

A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the /list_personalities endpoint. By manipulating the category parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version of the application. The vulnerability is due to improper handling of user-supplied input in the list_personalities function, where the category parameter can be controlled to specify arbitrary directories for listing. Successful exploitation of this vulnerability could allow an attacker to list all folders in the drive on the system, potentially leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T09:15:16Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint. By manipulating the `category` parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version of the application. The vulnerability is due to improper handling of user-supplied input in the `list_personalities` function, where the `category` parameter can be controlled to specify arbitrary directories for listing. Successful exploitation of this vulnerability could allow an attacker to list all folders in the drive on the system, potentially leading to information disclosure.",
  "id": "GHSA-482r-2hv2-p3x7",
  "modified": "2024-05-16T09:33:09Z",
  "published": "2024-05-16T09:33:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4322"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/5116d858-ce00-418c-a5a5-851c5608c209"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QCX-JX49-6QRH

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 20:54
VLAI
Summary
Aim path traversal in LockManager.release_locks
Details

A vulnerability in the LockManager.release_locks function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The run_hash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the Repo._close_run() method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.15.0"
            },
            {
              "last_affected": "3.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8769"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T20:54:05Z",
    "nvd_published_at": "2025-03-20T10:15:44Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.",
  "id": "GHSA-4qcx-jx49-6qrh",
  "modified": "2025-03-20T20:54:06Z",
  "published": "2025-03-20T12:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8769"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aimhubio/aim"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Aim  path traversal in LockManager.release_locks"
}

GHSA-4RQF-8PFM-P36R

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 03:21
VLAI
Summary
MLflow has a Local File Read/Path Traversal in dbfs
Details

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.17.0rc0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T03:21:56Z",
    "nvd_published_at": "2025-03-20T10:15:44Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.",
  "id": "GHSA-4rqf-8pfm-p36r",
  "modified": "2025-03-21T03:21:56Z",
  "published": "2025-03-20T12:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8859"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/2259b88b-a0c6-4c7c-b434-6aacf6056dcb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MLflow has a Local File Read/Path Traversal in dbfs"
}

GHSA-4V3G-89JR-8HCP

Vulnerability from github – Published: 2024-05-16 09:33 – Updated: 2024-05-16 09:33
VLAI
Details

A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an attacker to manipulate the application's configuration by sending specially crafted JSON payloads. This could lead to remote code execution (RCE) by bypassing existing patches designed to mitigate such vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T09:15:14Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability exists in the \u0027save_settings\u0027 endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the \u0027config\u0027 parameter in the \u0027apply_settings\u0027 function, allowing an attacker to manipulate the application\u0027s configuration by sending specially crafted JSON payloads. This could lead to remote code execution (RCE) by bypassing existing patches designed to mitigate such vulnerabilities.",
  "id": "GHSA-4v3g-89jr-8hcp",
  "modified": "2024-05-16T09:33:08Z",
  "published": "2024-05-16T09:33:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3435"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parisneo/lollms-webui/commit/bb99b59e710d00c4f2598faa5e183fa30fbd3bc2"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/494f349a-8650-4d30-a0bd-4742fda44ce5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VQF-PWQ6-3WH3

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A Local File Inclusion (LFI) vulnerability in OpenLLM version 0.6.10 allows attackers to include files from the local server through the web application. This flaw could expose internal server files and potentially sensitive information such as configuration files, passwords, and other critical data. Unauthorized access to critical server files, such as configuration files, user credentials (/etc/passwd), and private keys, can lead to a complete compromise of the system's security. Attackers could leverage the exposed information to further penetrate the network, exfiltrate data, or escalate privileges within the environment.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:45Z",
    "severity": "MODERATE"
  },
  "details": "A Local File Inclusion (LFI) vulnerability in OpenLLM version 0.6.10 allows attackers to include files from the local server through the web application. This flaw could expose internal server files and potentially sensitive information such as configuration files, passwords, and other critical data. Unauthorized access to critical server files, such as configuration files, user credentials (/etc/passwd), and private keys, can lead to a complete compromise of the system\u0027s security. Attackers could leverage the exposed information to further penetrate the network, exfiltrate data, or escalate privileges within the environment.",
  "id": "GHSA-4vqf-pwq6-3wh3",
  "modified": "2025-03-20T12:32:49Z",
  "published": "2025-03-20T12:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8982"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/b7bdc9a1-51ac-402a-8e6e-0d977699aca6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-554W-XH4J-8W64

Vulnerability from github – Published: 2023-12-15 03:30 – Updated: 2024-02-14 15:08
VLAI
Summary
Path traversal in MLflow
Details

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-15T23:01:09Z",
    "nvd_published_at": "2023-12-15T01:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Path Traversal: \u0027\\..\\filename\u0027 in GitHub repository mlflow/mlflow prior to 2.9.2.",
  "id": "GHSA-554w-xh4j-8w64",
  "modified": "2024-02-14T15:08:04Z",
  "published": "2023-12-15T03:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6831"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-253.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/0acdd745-0167-4912-9d5c-02035fe5b314"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Path traversal in MLflow"
}

GHSA-5FHX-JCWV-9WJJ

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:28Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.",
  "id": "GHSA-5fhx-jcwv-9wjj",
  "modified": "2025-03-20T12:32:43Z",
  "published": "2025-03-20T12:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12389"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/37afb1c9-bba9-47ee-8617-a5f715271654"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5P62-PPJR-4C45

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-06-06 21:30
VLAI
Details

A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the @router.get("/switch_personal_path") endpoint in ./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py. The vulnerability arises due to insufficient sanitization of user-supplied input for the path parameter, allowing an attacker to specify arbitrary file system paths. This flaw enables direct arbitrary file uploads, leakage of personal_data, and overwriting of configurations in lollms-webui->configs by exploiting the same named directory in personal_data. The issue affects the latest version of the application and is fixed in version 9.4. Successful exploitation could lead to sensitive information disclosure, unauthorized file uploads, and potentially remote code execution by overwriting critical configuration files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T19:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get(\"/switch_personal_path\")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due to insufficient sanitization of user-supplied input for the `path` parameter, allowing an attacker to specify arbitrary file system paths. This flaw enables direct arbitrary file uploads, leakage of `personal_data`, and overwriting of configurations in `lollms-webui`-\u003e`configs` by exploiting the same named directory in `personal_data`. The issue affects the latest version of the application and is fixed in version 9.4. Successful exploitation could lead to sensitive information disclosure, unauthorized file uploads, and potentially remote code execution by overwriting critical configuration files.",
  "id": "GHSA-5p62-ppjr-4c45",
  "modified": "2024-06-06T21:30:36Z",
  "published": "2024-06-06T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2624"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parisneo/lollms-webui/commit/aeba79f3ea934331b8ecd625a58bae6e4f7e7d3f"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/39e17897-0e92-4473-91c7-f728322191aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R3Q-93Q3-F978

Vulnerability from github – Published: 2023-12-20 06:30 – Updated: 2024-09-24 21:25
VLAI
Summary
MLflow Path Traversal Vulnerability
Details

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-20T20:37:01Z",
    "nvd_published_at": "2023-12-18T04:15:52Z",
    "severity": "HIGH"
  },
  "details": "Path Traversal: \u0027\\..\\filename\u0027 in GitHub repository mlflow/mlflow prior to 2.9.2.",
  "id": "GHSA-5r3q-93q3-f978",
  "modified": "2024-09-24T21:25:26Z",
  "published": "2023-12-20T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6909"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/1da75dfcecd4d169e34809ade55748384e8af6c1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-252.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/11209efb-0f84-482f-add0-587ea6b7e850"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MLflow Path Traversal Vulnerability"
}

GHSA-622M-GM3H-6W77

Vulnerability from github – Published: 2024-06-30 06:31 – Updated: 2024-06-30 06:31
VLAI
Details

Path Traversal: '..\filename' in GitHub repository stitionai/devika prior to -.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-30T01:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "Path Traversal: \u0027\\..\\filename\u0027 in GitHub repository stitionai/devika prior to -.",
  "id": "GHSA-622m-gm3h-6w77",
  "modified": "2024-06-30T06:31:00Z",
  "published": "2024-06-30T06:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5926"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/19af24fe-9b90-4638-8fbc-b18def6985d7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.