CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
778 vulnerabilities reference this CWE, most recent first.
GHSA-73GH-39WP-XM6C
Vulnerability from github – Published: 2025-04-30 12:31 – Updated: 2025-04-30 12:31A vulnerability in the “Manages app data” functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2025-24343"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T12:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the \u201cManages app data\u201d functionality of the web application of ctrlX OS allows a remote authenticated (low-privileged) attacker to write arbitrary files in arbitrary file system paths via a crafted HTTP request.",
"id": "GHSA-73gh-39wp-xm6c",
"modified": "2025-04-30T12:31:24Z",
"published": "2025-04-30T12:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24343"
},
{
"type": "WEB",
"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-73GX-X7R9-77X2
Vulnerability from github – Published: 2025-02-26 20:07 – Updated: 2025-10-16 20:41Summary
This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users.
-
Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts.
-
Path Traversal File Deletion: A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system.
Mitigation
Please update to 5.2.3 or later.
Workarounds
None
References
https://owasp.org/www-community/attacks/Code_Injection https://owasp.org/www-community/attacks/Path_Traversal
If you have any questions or comments about this advisory:
Email us at security@mautic.org
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47051"
],
"database_specific": {
"cwe_ids": [
"CWE-23",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-26T20:07:45Z",
"nvd_published_at": "2025-02-26T13:15:39Z",
"severity": "CRITICAL"
},
"details": "### Summary\nThis advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users.\n\n* **Remote Code Execution (RCE) via Asset Upload:** A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts.\n\n* **Path Traversal File Deletion:** A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system. \n \n### Mitigation\nPlease update to 5.2.3 or later.\n\n### Workarounds\nNone\n\n### References\nhttps://owasp.org/www-community/attacks/Code_Injection\nhttps://owasp.org/www-community/attacks/Path_Traversal\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@mautic.org](mailto:security@mautic.org)",
"id": "GHSA-73gx-x7r9-77x2",
"modified": "2025-10-16T20:41:27Z",
"published": "2025-02-26T20:07:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/security/advisories/GHSA-73gx-x7r9-77x2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47051"
},
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/commit/75bc488ce98b9c8ec01114984049fc1c42c0cae5"
},
{
"type": "PACKAGE",
"url": "https://github.com/mautic/mautic"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Code_Injection"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Path_Traversal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mautic allows Remote Code Execution and File Deletion in Asset Uploads"
}
GHSA-75JV-VFXF-3865
Vulnerability from github – Published: 2025-07-25 14:15 – Updated: 2025-08-12 13:26Path-Traversal -> Arbitrary File Write in Assemblyline Service Client
IMPORTANT: This vulnerability is valid if you decide to use the assemblyline-service-client outside of the normal practice to using Assemblyline in a production environment. In practice, this code should always be executed within a containerized environment such as assemblyline-v4-service which ensures filesystem-level permissions of what the running user is allowed to access. Furthermore, there is fewer chances for a MiTM compromise when deployed properly in a Docker or Kubernetes deployment where the platform will assign the correct network policies to secure connections between containers instead of relying on the user to set this up manually.
See https://github.com/CybercentreCanada/assemblyline/issues/382 for further discussion.
1. Summary
The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.
No validation / sanitisation is performed.
A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/evil
and force the client to write the downloaded bytes to an arbitrary location on disk.
2. Affected Versions
| Item | Value |
|---|---|
| Component | assemblyline-service-client |
| Repository | CybercentreCanada/assemblyline-service-client |
| Affected | All releases up to master branch. |
3. CVSS 3.1 Vector & Score
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4. Technical Details
| Field | Content |
|---|---|
| Location | assemblyline_service_client/task_handler.py, inside download_file() |
| Vulnerable Line | file_path = os.path.join(self.tasking_dir, sha256) |
| Root Cause | The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation. |
| Exploit Flow | 1. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.2. Client writes the response body to /etc/cron.d/evil.3. Achieves arbitrary file write (code execution if file is executable). |
5. Impact
- Integrity – Overwrite any file writable by the service UID (often root).
- Availability – Corrupt critical files or exhaust disk space.
- Code Execution – Drop cron jobs, systemd units, or overwrite binaries.
6. Mitigation / Fix
import re
_SHA256_RE = re.compile(r'^[0-9a-fA-F]{64}\Z')
def download_file(self, sha256: str, sid: str) -> Optional[str]:
if not _SHA256_RE.fullmatch(sha256):
self.log.error(f"[{sid}] Invalid SHA256: {sha256}")
self.status = STATUSES.ERROR_FOUND
return None
# or your preferred way to check if a string is a shasum.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "assemblyline-service-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.0.stable11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "assemblyline-service-client"
},
"ranges": [
{
"events": [
{
"introduced": "4.6.1.dev0"
},
{
"fixed": "4.6.1.dev138"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55013"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-25T14:15:48Z",
"nvd_published_at": "2025-08-09T03:15:47Z",
"severity": "MODERATE"
},
"details": "**Path-Traversal -\u003e Arbitrary File Write in Assemblyline Service Client**\n\n**IMPORTANT**: This vulnerability is valid if you decide to use the assemblyline-service-client outside of the normal practice to using Assemblyline in a production environment. In practice, this code should always be executed within a containerized environment such as [assemblyline-v4-service](https://github.com/CybercentreCanada/assemblyline-v4-service) which ensures filesystem-level permissions of what the running user is allowed to access. Furthermore, there is fewer chances for a MiTM compromise when deployed properly in a Docker or Kubernetes deployment where the platform will assign the correct network policies to secure connections between containers instead of relying on the user to set this up manually.\n\nSee https://github.com/CybercentreCanada/assemblyline/issues/382 for further discussion.\n\n---\n\n## 1. Summary \nThe Assemblyline 4 **service client** (`task_handler.py`) accepts a SHA-256 value returned by the service **server** and uses it directly as a local file name. \n\u003e No validation / sanitisation is performed.\n\nA **malicious or compromised server** (or any MITM that can speak to client) can return a path-traversal payload such as \n`../../../etc/cron.d/evil` \nand force the client to write the downloaded bytes to an arbitrary location on disk.\n\n---\n\n## 2. Affected Versions \n| Item | Value |\n|---|---|\n| **Component** | `assemblyline-service-client` |\n| **Repository** | [CybercentreCanada/assemblyline-service-client](https://github.com/CybercentreCanada/assemblyline-service-client) |\n| **Affected** | **All releases up to master branch.** |\n\n\n---\n\n## 3. CVSS 3.1 Vector \u0026 Score \n```\nCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\n```\n\n\n---\n\n## 4. Technical Details\n\n| Field | Content |\n|---|---|\n| **Location** | `assemblyline_service_client/task_handler.py`, inside `download_file()` |\n| **Vulnerable Line** | `file_path = os.path.join(self.tasking_dir, sha256)` |\n| **Root Cause** | The `sha256` string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation. |\n| **Exploit Flow** | 1. Attacker (service server) returns HTTP 200 for `GET /api/v1/file/../../../etc/cron.d/evil`.\u003cbr\u003e2. Client writes the response body to `/etc/cron.d/evil`.\u003cbr\u003e3. Achieves arbitrary file write (code execution if file is executable). |\n\n---\n\n## 5. Impact \n- **Integrity** \u2013 Overwrite any file writable by the service UID (often root). \n- **Availability** \u2013 Corrupt critical files or exhaust disk space. \n- **Code Execution** \u2013 Drop cron jobs, systemd units, or overwrite binaries.\n\n---\n\n## 6. Mitigation / Fix\n\n```python\nimport re\n\n_SHA256_RE = re.compile(r\u0027^[0-9a-fA-F]{64}\\Z\u0027)\n\ndef download_file(self, sha256: str, sid: str) -\u003e Optional[str]:\n if not _SHA256_RE.fullmatch(sha256):\n self.log.error(f\"[{sid}] Invalid SHA256: {sha256}\")\n self.status = STATUSES.ERROR_FOUND\n return None\n # or your preferred way to check if a string is a shasum.\n```\n---",
"id": "GHSA-75jv-vfxf-3865",
"modified": "2025-08-12T13:26:14Z",
"published": "2025-07-25T14:15:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/CybercentreCanada/assemblyline/security/advisories/GHSA-75jv-vfxf-3865"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55013"
},
{
"type": "WEB",
"url": "https://github.com/CybercentreCanada/assemblyline-service-client/commit/351414e7e96cc1f5640ae71ae51b939e8ba30900"
},
{
"type": "PACKAGE",
"url": "https://github.com/CybercentreCanada/assemblyline-service-client"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code "
}
GHSA-76MM-JG8W-RCJ3
Vulnerability from github – Published: 2025-08-06 21:31 – Updated: 2025-08-06 21:31A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'.
{
"affected": [],
"aliases": [
"CVE-2025-51052"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T21:15:29Z",
"severity": "MODERATE"
},
"details": "A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized \u0027file_get_contents()\u0027 function call in \u0027/api_vedo/template\u0027.",
"id": "GHSA-76mm-jg8w-rcj3",
"modified": "2025-08-06T21:31:40Z",
"published": "2025-08-06T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51052"
},
{
"type": "WEB",
"url": "https://github.com/jacopoaugelli/vedo-suite-exploits"
},
{
"type": "WEB",
"url": "http://vedo.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-76Q8-QPVR-6MHP
Vulnerability from github – Published: 2025-02-24 00:30 – Updated: 2025-02-24 00:30A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/app/profile_crud.php. The manipulation of the argument old_cat_img leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-1599"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-24T00:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/app/profile_crud.php. The manipulation of the argument old_cat_img leads to path traversal: \u0027../filedir\u0027. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-76q8-qpvr-6mhp",
"modified": "2025-02-24T00:30:55Z",
"published": "2025-02-24T00:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1599"
},
{
"type": "WEB",
"url": "https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/best-church-management-software-Delete-any-file.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.296594"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.296594"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.498188"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7793-HMG3-GH57
Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-09 18:31LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.
{
"affected": [],
"aliases": [
"CVE-2026-61343"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T18:16:58Z",
"severity": "HIGH"
},
"details": "LibreBooking\u0027s email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.",
"id": "GHSA-7793-hmg3-gh57",
"modified": "2026-07-09T18:31:53Z",
"published": "2026-07-09T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61343"
},
{
"type": "WEB",
"url": "https://github.com/LibreBooking/librebooking/pull/1456"
},
{
"type": "WEB",
"url": "https://github.com/LibreBooking/librebooking/commit/cb9b7ad9da0243bd105809f6a4a8a6b9147c71ea"
},
{
"type": "WEB",
"url": "https://github.com/LibreBooking/librebooking/releases/tag/v5.1.0"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-190-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-61343"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-77CJ-JX2Q-994Q
Vulnerability from github – Published: 2024-12-16 09:31 – Updated: 2024-12-16 09:31The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user's system.
{
"affected": [],
"aliases": [
"CVE-2024-12645"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-16T07:15:06Z",
"severity": "MODERATE"
},
"details": "The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user\u0027s system.",
"id": "GHSA-77cj-jx2q-994q",
"modified": "2024-12-16T09:31:10Z",
"published": "2024-12-16T09:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12645"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8303-3220b-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8297-13670-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-77JM-6QR9-XF3J
Vulnerability from github – Published: 2026-01-07 18:30 – Updated: 2026-01-07 18:30@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope.
{
"affected": [],
"aliases": [
"CVE-2025-67366"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T17:16:01Z",
"severity": "HIGH"
},
"details": "@sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its \"read_content\" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope.",
"id": "GHSA-77jm-6qr9-xf3j",
"modified": "2026-01-07T18:30:26Z",
"published": "2026-01-07T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67366"
},
{
"type": "WEB",
"url": "https://github.com/sylphxltd/filesystem-mcp/issues/134"
},
{
"type": "WEB",
"url": "https://github.com/sylphxltd/filesystem-mcp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-792Q-Q67H-W579
Vulnerability from github – Published: 2023-10-24 01:35 – Updated: 2023-10-24 01:35Impact
Parse Server crashes when uploading a file without extension.
Patches
A permanent fix has been implemented to prevent the server from crashing.
Workarounds
There are no known workarounds.
References
- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579
- Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1
- Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "5.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46119"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-24T01:35:17Z",
"nvd_published_at": "2023-10-25T18:17:36Z",
"severity": "HIGH"
},
"details": "### Impact\n\nParse Server crashes when uploading a file without extension.\n\n### Patches\n\nA permanent fix has been implemented to prevent the server from crashing.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579\n- Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1\n- Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6",
"id": "GHSA-792q-q67h-w579",
"modified": "2023-10-24T01:35:17Z",
"published": "2023-10-24T01:35:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46119"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/686a9f282dc23c31beab3d93e6d21ccd0e1328fe"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/fd86278919556d3682e7e2c856dfccd5beffbfc0"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/5.5.6"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/6.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Parse Server may crash when uploading file without extension"
}
GHSA-79JV-P4W2-QGX9
Vulnerability from github – Published: 2025-10-24 00:30 – Updated: 2025-10-24 00:30A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine.
{
"affected": [],
"aliases": [
"CVE-2025-59776"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T23:15:37Z",
"severity": "MODERATE"
},
"details": "A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine.",
"id": "GHSA-79jv-p4w2-qgx9",
"modified": "2025-10-24T00:30:53Z",
"published": "2025-10-24T00:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59776"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
},
{
"type": "WEB",
"url": "https://support.automationdirect.com/docs/securityconsiderations.pdf"
},
{
"type": "WEB",
"url": "https://www.automationdirect.com/support/software-downloads"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.