GHSA-3XJV-PMF2-GF2Q

Vulnerability from github – Published: 2026-05-06 21:34 – Updated: 2026-05-14 20:39
VLAI
Summary
Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root
Details

Summary

The make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nette's class-name validation runs. The class-file write is correctly rejected by Nette when the name contains /, but the recursive directory creation side effect is already committed — including directories located outside the project root through ../ traversal.

Affected code

flight/commands/ControllerCommand.php (≈ 63-66):

if (is_dir(dirname($controllerPath)) === false) {
    $io->info('Creating directory ' . dirname($controllerPath), true);
    mkdir(dirname($controllerPath), 0755, true);   // un-normalized, runs before validation
}

Proof of concept

$ php vendor/flightphp/runway/runway make:controller '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn'
Creating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST
Nette\InvalidArgumentException: Value '../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController' is not valid class name.

$ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST
(directory exists — created before the exception was thrown)

Impact

  • Arbitrary directory creation outside the project root, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container).
  • Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a .php file to be included via a distinct template-include weakness).
  • On Windows, the \ separator opens additional traversal surface.

Patch (fixed in 3.18.1, commit b8dd23a)

The controller name is now normalized with basename() and validated against ^[A-Za-z_][A-Za-z0-9_]*$ before any mkdir side effect runs.

Credit

Discovered by @Rootingg.

Severity
4.4 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "flightphp/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:34:39Z",
    "nvd_published_at": "2026-05-13T20:16:21Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `make:controller` CLI command calls `mkdir(..., recursive: true)` on a path built from the user-supplied controller name, **before** Nette\u0027s class-name validation runs. The class-file write is correctly rejected by Nette when the name contains `/`, but the recursive directory creation side effect is already committed \u2014 including directories located outside the project root through `../` traversal.\n\n### Affected code\n`flight/commands/ControllerCommand.php` (\u2248 63-66):\n\n```php\nif (is_dir(dirname($controllerPath)) === false) {\n    $io-\u003einfo(\u0027Creating directory \u0027 . dirname($controllerPath), true);\n    mkdir(dirname($controllerPath), 0755, true);   // un-normalized, runs before validation\n}\n```\n\n### Proof of concept\n```\n$ php vendor/flightphp/runway/runway make:controller \u0027../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwn\u0027\nCreating directory .../app/controllers/../../../../tmp/CONTROLLER_TRAVERSAL_TEST\nNette\\InvalidArgumentException: Value \u0027../../../../tmp/CONTROLLER_TRAVERSAL_TEST/pwnController\u0027 is not valid class name.\n\n$ ls /home/user/tmp/CONTROLLER_TRAVERSAL_TEST\n(directory exists \u2014 created before the exception was thrown)\n```\n\n### Impact\n- **Arbitrary directory creation outside the project root**, executable by any local actor that can run the Flight CLI (developer machine, shared CI build agent, compromised dev container).\n- Primes log-file planting for chained LFI exploitation (e.g. creating a directory where an attacker can later drop a `.php` file to be included via a distinct template-include weakness).\n- On Windows, the `\\` separator opens additional traversal surface.\n\n### Patch (fixed in `3.18.1`, commit `b8dd23a`)\nThe controller name is now normalized with `basename()` and validated against `^[A-Za-z_][A-Za-z0-9_]*$` before any `mkdir` side effect runs.\n\n### Credit\nDiscovered by **@Rootingg**.",
  "id": "GHSA-3xjv-pmf2-gf2q",
  "modified": "2026-05-14T20:39:56Z",
  "published": "2026-05-06T21:34:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flightphp/core/security/advisories/GHSA-3xjv-pmf2-gf2q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42549"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flightphp/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flight has path traversal in `make:controller` CLI that creates arbitrary directories outside project root"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.