CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
778 vulnerabilities reference this CWE, most recent first.
GHSA-X3H8-62X9-952G
Vulnerability from github – Published: 2025-11-19 19:43 – Updated: 2025-11-19 19:43Summary
A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system.
Details
- Title: Arbitrary Local File Read in Astro Development Image Endpoint
- Type: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Component:
/packages/astro/src/assets/endpoint/node.ts - Affected Versions: Astro v5.x development builds (confirmed v5.13.3)
- Attack Vector: Network (HTTP GET request)
- Authentication Required: None
The vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an href parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path validation, allowing attackers to specify absolute file paths.
Vulnerable Code Location: packages/astro/src/assets/endpoint/node.ts
// Vulnerable code in development mode
if (import.meta.env.DEV) {
fileUrl = pathToFileURL(removeQueryString(replaceFileSystemReferences(src)));
} else {
// Production has proper path validation
// ... security checks omitted in dev mode
}
The development branch bypasses the security checks that exist in the production code path, which validates that file paths are within the allowed assets directory.
PoC
Attack Prerequisites
- Astro development server must be running (
astro dev) - The
/_imageendpoint must be accessible to the attacker - Target image files must be readable by the Node.js process
Exploit Steps
-
Start Astro Development Server:
bash astro dev # Typically runs on http://localhost:4321 -
Craft Malicious Request:
http GET /_image?href=/[ABSOLUTE_PATH_TO_IMAGE]&w=100&h=100&f=png HTTP/1.1 Host: localhost:4321 -
Example Attack:
bash curl "http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg&w=100&h=100&f=png" -o stolen.png
Demonstration Results
Test Environment: macOS with Astro v5.13.3
Successful Exploitation:
- Target: /System/Library/Image Capture/Automatic Tasks/MakePDF.app/Contents/Resources/0blank.jpg
- Response: HTTP 200 OK, Content-Type: image/png
- Exfiltration: 303 bytes (100x100 PNG)
- File Created: stolen-image.png containing processed system image
Attack Payload:
http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg&w=100&h=100&f=png
Server Response:
Status: 200 OK
Content-Type: image/png
Content-Length: 303
Impact
Confidentiality Impact: HIGH
- Scope: Any image file readable by the Node.js process
- Exfiltration Method: Complete file contents via HTTP response (transformed to PNG)
Integrity Impact: NONE
- The vulnerability only allows reading files, not modification
Availability Impact: NONE
- No direct impact on system availability
- Potential for resource exhaustion through repeated large image requests
Affected Components
Primary Component
- File:
packages/astro/src/assets/endpoint/node.ts - Function:
loadLocalImage() - Lines: Development mode branch (~25-35)
Secondary Components
- File:
packages/astro/src/assets/endpoint/generic.ts - Impact: Uses different code path, not directly vulnerable
- Note: Implements proper remote allowlist validation
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "astro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64757"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-19T19:43:05Z",
"nvd_published_at": "2025-11-19T17:15:52Z",
"severity": "LOW"
},
"details": "### Summary\nA vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system.\n\n### Details\n- **Title**: Arbitrary Local File Read in Astro Development Image Endpoint\n- **Type**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\n- **Component**: `/packages/astro/src/assets/endpoint/node.ts`\n- **Affected Versions**: Astro v5.x development builds (confirmed v5.13.3)\n- **Attack Vector**: Network (HTTP GET request)\n- **Authentication Required**: None\n\nThe vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an `href` parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path validation, allowing attackers to specify absolute file paths.\n\n**Vulnerable Code Location**: `packages/astro/src/assets/endpoint/node.ts`\n\n```typescript\n// Vulnerable code in development mode\nif (import.meta.env.DEV) {\n fileUrl = pathToFileURL(removeQueryString(replaceFileSystemReferences(src)));\n} else {\n // Production has proper path validation\n // ... security checks omitted in dev mode\n}\n```\n\nThe development branch bypasses the security checks that exist in the production code path, which validates that file paths are within the allowed assets directory.\n\n### PoC\n#### Attack Prerequisites\n1. Astro development server must be running (`astro dev`)\n2. The `/_image` endpoint must be accessible to the attacker\n3. Target image files must be readable by the Node.js process\n\n#### Exploit Steps\n\n1. Start Astro Development Server:\n ```bash\n astro dev # Typically runs on http://localhost:4321\n ```\n\n2. Craft Malicious Request:\n ```http\n GET /_image?href=/[ABSOLUTE_PATH_TO_IMAGE]\u0026w=100\u0026h=100\u0026f=png HTTP/1.1\n Host: localhost:4321\n ```\n\n3. Example Attack:\n ```bash\n curl \"http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg\u0026w=100\u0026h=100\u0026f=png\" -o stolen.png\n ```\n\n#### Demonstration Results\n\n**Test Environment**: macOS with Astro v5.13.3\n\n**Successful Exploitation**:\n- Target: `/System/Library/Image Capture/Automatic Tasks/MakePDF.app/Contents/Resources/0blank.jpg`\n- Response: HTTP 200 OK, Content-Type: image/png\n- Exfiltration: 303 bytes (100x100 PNG)\n- File Created: `stolen-image.png` containing processed system image\n\n**Attack Payload**:\n```\nhttp://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg\u0026w=100\u0026h=100\u0026f=png\n```\n\n**Server Response**:\n```\nStatus: 200 OK\nContent-Type: image/png\nContent-Length: 303\n```\n\n### Impact\n\n#### Confidentiality Impact: HIGH\n- **Scope**: Any image file readable by the Node.js process\n- **Exfiltration Method**: Complete file contents via HTTP response (transformed to PNG)\n\n#### Integrity Impact: NONE\n- The vulnerability only allows reading files, not modification\n\n#### Availability Impact: NONE \n- No direct impact on system availability\n- Potential for resource exhaustion through repeated large image requests\n\n### Affected Components\n\n#### Primary Component\n- **File**: `packages/astro/src/assets/endpoint/node.ts`\n- **Function**: `loadLocalImage()`\n- **Lines**: Development mode branch (~25-35)\n\n#### Secondary Components \n- **File**: `packages/astro/src/assets/endpoint/generic.ts`\n- **Impact**: Uses different code path, not directly vulnerable\n- **Note**: Implements proper remote allowlist validation",
"id": "GHSA-x3h8-62x9-952g",
"modified": "2025-11-19T19:43:05Z",
"published": "2025-11-19T19:43:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64757"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Astro Development Server has Arbitrary Local File Read"
}
GHSA-X422-6QHV-P29G
Vulnerability from github – Published: 2023-04-28 00:30 – Updated: 2024-09-25 17:47Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mlflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2356"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-01T13:43:17Z",
"nvd_published_at": "2023-04-28T00:15:08Z",
"severity": "HIGH"
},
"details": "Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.",
"id": "GHSA-x422-6qhv-p29g",
"modified": "2024-09-25T17:47:29Z",
"published": "2023-04-28T00:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2356"
},
{
"type": "WEB",
"url": "https://github.com/mlflow/mlflow/commit/f73147496e05c09a8b83d95fb4f1bf86696c6342"
},
{
"type": "PACKAGE",
"url": "https://github.com/mlflow/mlflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2023-68.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/7b5d130d-38eb-4133-8c7d-0dfc9a9d9896"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Relative path traversal in mlflow"
}
GHSA-X5W2-Q3RJ-2CPP
Vulnerability from github – Published: 2025-03-03 15:31 – Updated: 2026-04-01 18:33Relative Path Traversal vulnerability in NotFound Delete Comments By Status allows PHP Local File Inclusion. This issue affects Delete Comments By Status: from n/a through 2.1.1.
{
"affected": [],
"aliases": [
"CVE-2025-25130"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-03T14:15:52Z",
"severity": "HIGH"
},
"details": "Relative Path Traversal vulnerability in NotFound Delete Comments By Status allows PHP Local File Inclusion. This issue affects Delete Comments By Status: from n/a through 2.1.1.",
"id": "GHSA-x5w2-q3rj-2cpp",
"modified": "2026-04-01T18:33:54Z",
"published": "2025-03-03T15:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25130"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/delete-comments-by-status/vulnerability/wordpress-external-video-for-everybody-plugin-2-1-1-cross-site-scripting-xss-vulnerability-3?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X62R-P93V-PV79
Vulnerability from github – Published: 2025-07-28 18:31 – Updated: 2025-07-28 18:31In JetBrains TeamCity before 2025.07 path traversal was possible via plugin unpacking on Windows
{
"affected": [],
"aliases": [
"CVE-2025-54531"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T17:15:32Z",
"severity": "HIGH"
},
"details": "In JetBrains TeamCity before 2025.07 path traversal was possible via plugin unpacking on Windows",
"id": "GHSA-x62r-p93v-pv79",
"modified": "2025-07-28T18:31:28Z",
"published": "2025-07-28T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54531"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X8Q6-CCHR-P7M6
Vulnerability from github – Published: 2025-02-23 15:30 – Updated: 2025-02-24 18:31A vulnerability classified as problematic was found in opensolon Solon up to 3.0.8. This vulnerability affects unknown code of the file solon-projects/solon-web/solon-web-staticfiles/src/main/java/org/noear/solon/web/staticfiles/StaticMappings.java. The manipulation leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.9 is able to address this issue. The name of the patch is f46e47fd1f8455b9467d7ead3cdb0509115b2ef1. It is recommended to upgrade the affected component.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.noear:solon-web-staticfiles"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-1584"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-24T18:31:10Z",
"nvd_published_at": "2025-02-23T13:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in opensolon Solon up to 3.0.8. This vulnerability affects unknown code of the file solon-projects/solon-web/solon-web-staticfiles/src/main/java/org/noear/solon/web/staticfiles/StaticMappings.java. The manipulation leads to path traversal: \u0027../filedir\u0027. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.9 is able to address this issue. The name of the patch is f46e47fd1f8455b9467d7ead3cdb0509115b2ef1. It is recommended to upgrade the affected component.",
"id": "GHSA-x8q6-cchr-p7m6",
"modified": "2025-02-24T18:31:10Z",
"published": "2025-02-23T15:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1584"
},
{
"type": "WEB",
"url": "https://github.com/opensolon/solon/issues/332"
},
{
"type": "WEB",
"url": "https://github.com/opensolon/solon/issues/332#issue-2866229828"
},
{
"type": "WEB",
"url": "https://github.com/opensolon/solon/issues/332#issuecomment-2674330700"
},
{
"type": "WEB",
"url": "https://github.com/opensolon/solon/commit/f46e47fd1f8455b9467d7ead3cdb0509115b2ef1"
},
{
"type": "PACKAGE",
"url": "https://github.com/opensolon/solon"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.296560"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.296560"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.504454"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Solon Path Traversal"
}
GHSA-X8WJ-6M73-GFQP
Vulnerability from github – Published: 2020-02-18 18:59 – Updated: 2021-01-08 20:30Impact
The vulnerability was identified in the web service for a chunked file upload. While the names of the POST parameters vary with the used frontend, their values are always used in the same way to build a path where the chunks are stored and assembled temporarily. By not validating these parameters properly, OneupUploaderBundle is susceptible to a path traversal vulnerability which can be exploited to upload files to arbitrary folders on the filesystem. The assembly process can further be misused with some restrictions to delete and copy files to other locations.
The vulnerability can be exploited by any users that have legitimate access to the upload functionality and can lead to arbitrary code execution, denial of service and disclosure of confidential information.
Patches
Yes, see version 1.9.3 and 2.1.5.
References
https://owasp.org/www-community/attacks/Path_Traversal
Credits:
This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "oneup/uploader-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "oneup/uploader-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5237"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2020-02-05T13:52:02Z",
"nvd_published_at": "2020-02-05T14:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe vulnerability was identified in the web service for a chunked file\nupload. While the names of the POST parameters vary with the used\nfrontend, their values are always used in the same way to build a path\nwhere the chunks are stored and assembled temporarily. By not validating\nthese parameters properly, OneupUploaderBundle is susceptible to a path\ntraversal vulnerability which can be exploited to upload files to\narbitrary folders on the filesystem. The assembly process can further be\nmisused with some restrictions to delete and copy files to other\nlocations.\n\nThe vulnerability can be exploited by any users that have legitimate\naccess to the upload functionality and can lead to arbitrary code\nexecution, denial of service and disclosure of confidential information.\n\n### Patches\nYes, see version 1.9.3 and 2.1.5.\n\n### References\nhttps://owasp.org/www-community/attacks/Path_Traversal\n\n### Credits:\nThis security vulnerability was found by Thibaud Kehler of SySS GmbH.\nE-Mail: thibaud.kehler@syss.de",
"id": "GHSA-x8wj-6m73-gfqp",
"modified": "2021-01-08T20:30:34Z",
"published": "2020-02-18T18:59:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/1up-lab/OneupUploaderBundle/security/advisories/GHSA-x8wj-6m73-gfqp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5237"
},
{
"type": "WEB",
"url": "https://github.com/1up-lab/OneupUploaderBundle/commit/a6011449b716f163fe1ae323053077e59212350c"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/oneup/uploader-bundle/CVE-2020-5237.yaml"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-003.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Relative Path Traversal (CWE-23) in chunked uploads in oneup/uploader-bundle"
}
GHSA-XC28-GW78-R3RV
Vulnerability from github – Published: 2024-10-16 15:32 – Updated: 2026-04-01 18:32: Relative Path Traversal vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Path Traversal.This issue affects LiteSpeed Cache: from n/a through 6.4.1.
{
"affected": [],
"aliases": [
"CVE-2024-47637"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T14:15:06Z",
"severity": "HIGH"
},
"details": ": Relative Path Traversal vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Path Traversal.This issue affects LiteSpeed Cache: from n/a through 6.4.1.",
"id": "GHSA-xc28-gw78-r3rv",
"modified": "2026-04-01T18:32:01Z",
"published": "2024-10-16T15:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47637"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/litespeed-cache/vulnerability/wordpress-litespeed-cache-plugin-6-4-1-path-traversal-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-4-1-path-traversal-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XC8G-QWX7-GCFR
Vulnerability from github – Published: 2025-10-24 00:30 – Updated: 2025-10-24 00:30A relative path traversal (ZipSlip) vulnerability was discovered in Productivity Suite software version
4.4.1.19. The vulnerability allows an attacker who can tamper with a productivity project to execute arbitrary code on the machine where the project is opened.
{
"affected": [],
"aliases": [
"CVE-2025-62498"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T22:15:49Z",
"severity": "HIGH"
},
"details": "A relative path traversal (ZipSlip) vulnerability was discovered in Productivity Suite software version \n\n4.4.1.19. The vulnerability allows an attacker who can tamper with a productivity project to execute arbitrary code on the machine where the project is opened.",
"id": "GHSA-xc8g-qwx7-gcfr",
"modified": "2025-10-24T00:30:53Z",
"published": "2025-10-24T00:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62498"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
},
{
"type": "WEB",
"url": "https://www.automationdirect.com/support/software-downloads"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XCPX-G9WM-FRG6
Vulnerability from github – Published: 2023-07-11 18:31 – Updated: 2024-04-04 05:57Relative path traversal in the Zoom Client SDK before version 5.15.0 may allow an unauthorized user to enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-34117"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-11T17:15:13Z",
"severity": "LOW"
},
"details": "Relative path traversal in the Zoom Client SDK before version 5.15.0 may allow an unauthorized user to enable information disclosure via local access.\n",
"id": "GHSA-xcpx-g9wm-frg6",
"modified": "2024-04-04T05:57:06Z",
"published": "2023-07-11T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34117"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG3J-C7Q4-F9PH
Vulnerability from github – Published: 2026-06-19 06:31 – Updated: 2026-06-19 22:10Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate (such as enrolled cluster members) or join token can manipulate files in an imported remote cluster within the /var/snap/microceph confinement. This would allow daemon disruption and pollution of the cluster state.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/canonical/microceph/microceph"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260609072127-5c2760d8fb76"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-10720"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T22:10:23Z",
"nvd_published_at": "2026-06-19T06:17:00Z",
"severity": "MODERATE"
},
"details": "Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate (such as enrolled cluster members) or join token can manipulate files in an imported remote cluster within the /var/snap/microceph confinement. This would allow daemon disruption and pollution of the cluster state.",
"id": "GHSA-xg3j-c7q4-f9ph",
"modified": "2026-06-19T22:10:23Z",
"published": "2026-06-19T06:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10720"
},
{
"type": "WEB",
"url": "https://github.com/canonical/microceph/pull/758"
},
{
"type": "WEB",
"url": "https://github.com/canonical/microceph/commit/5c2760d8fb765d670e2673d3a537b67eae4b67c6"
},
{
"type": "PACKAGE",
"url": "https://github.com/canonical/microceph"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Canonical MicroCeph: path traversal issue in the remote-import AP"
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.