Vulnerability-Lookup

GHSA-F6PR-83PG-GHH6

Vulnerability from github – Published: 2026-04-29 22:18 – Updated: 2026-05-13 13:38

Summary

pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider

Details

Impact

A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration.

Patches

The issue has been patched in master branch and made available as part of the 0.23.3 release.

The commit/fix can be found in bf25b8695edbdd5476eeffc102b633d1d3e45f52.

Workarounds

Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pygeoapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.23.0"
            },
            {
              "fixed": "0.23.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T22:18:02Z",
    "nvd_published_at": "2026-05-08T23:16:38Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA raw string path concatenation vulnerability in pygeoapi\u0027s STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication.  The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with `..` values, along with a resource of type `stac-collection` defined in configuration.\n\n### Patches\nThe issue has been patched in master branch and made available as part of the 0.23.3 release.\n\nThe commit/fix can be found in [bf25b8695edbdd5476eeffc102b633d1d3e45f52](https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52).\n### Workarounds\nUsers can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.",
  "id": "GHSA-f6pr-83pg-ghh6",
  "modified": "2026-05-13T13:38:11Z",
  "published": "2026-04-29T22:18:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42351"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geopython/pygeoapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geopython/pygeoapi/releases/tag/0.23.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider"
}

CVE-2026-42351 (GCVE-0-2026-42351)

Vulnerability from cvelistv5 – Published: 2026-05-08 22:31 – Updated: 2026-05-12 02:13

Title

pygeoapi: Path Traversal in STAC FileSystemProvider

Summary

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/geopython/pygeoapi/security/ad…	x_refsource_CONFIRM
https://github.com/geopython/pygeoapi/commit/bf25…	x_refsource_MISC
https://github.com/geopython/pygeoapi/releases/ta…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
geopython	pygeoapi	Affected: >= 0.23.0, < 0.23.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42351",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T02:13:24.339410Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T02:13:37.972Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pygeoapi",
          "vendor": "geopython",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.23.0, \u003c 0.23.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi\u0027s STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T22:31:18.001Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6"
        },
        {
          "name": "https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52"
        },
        {
          "name": "https://github.com/geopython/pygeoapi/releases/tag/0.23.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/geopython/pygeoapi/releases/tag/0.23.3"
        }
      ],
      "source": {
        "advisory": "GHSA-f6pr-83pg-ghh6",
        "discovery": "UNKNOWN"
      },
      "title": "pygeoapi: Path Traversal in STAC FileSystemProvider"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42351",
    "datePublished": "2026-05-08T22:31:18.001Z",
    "dateReserved": "2026-04-26T13:26:14.515Z",
    "dateUpdated": "2026-05-12T02:13:37.972Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted