GHSA-HXF2-GM22-7VCM

Vulnerability from github – Published: 2026-04-08 00:12 – Updated: 2026-04-08 00:12
VLAI?
Summary
Emissary has a Path Traversal via Blacklist Bypass in Configuration API
Details

Summary

The configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory.

Details

Vulnerable code — Configs.java (line 126)

protected static String validate(String config) {
    if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/")
        || config.contains("..") || config.endsWith(".")) {
        throw new IllegalArgumentException("Invalid config name: " + config);
    }
    return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);
}

Weakness

The blacklist blocked literal \, /, .., and trailing . but could potentially miss:

  • URL-encoded variants (%2e%2e%2f) if decoded after validation
  • Double-encoded sequences (%252e%252e%252f)
  • Unicode normalization bypasses
  • The approach relies on string matching rather than canonical path resolution

Impact

  • Potential read access to configuration files outside the intended config directory
  • Information disclosure of sensitive configuration values

Remediation

Fixed in PR #1292, merged into release 8.39.0.

The blacklist was replaced with an allowlist regex that only permits characters matching ^[a-zA-Z0-9._-]+$:

protected static final Pattern VALID_CONFIG_NAME = Pattern.compile("^[a-zA-Z0-9._-]+$");

protected static String validate(String config) {
    if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains("..") || config.endsWith(".")) {
        throw new IllegalArgumentException("Invalid config name: " + config);
    }
    return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);
}

This ensures that any character outside the allowed set — including encoded slashes, percent signs, and Unicode sequences — is rejected before the config name reaches the filesystem.

Tests were added to verify that URL-encoded (%2e%2e%2f), double-encoded (%252e%252e%252f), and Unicode (U+002F) traversal attempts are blocked.

Workarounds

If upgrading is not immediately possible, deploy a reverse proxy or WAF rule that rejects requests to /api/configuration/ containing encoded path traversal sequences.

References

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "gov.nsa.emissary:emissary"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.39.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35583"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:12:55Z",
    "nvd_published_at": "2026-04-07T17:16:33Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe configuration API endpoint (`/api/configuration/{name}`) validated\nconfiguration names using a blacklist approach that checked for `\\`, `/`, `..`,\nand trailing `.`. This could potentially be bypassed using URL-encoded variants,\ndouble-encoding, or Unicode normalization to achieve path traversal and read\nconfiguration files outside the intended directory.\n\n## Details\n\n### Vulnerable code \u2014 `Configs.java` (line 126)\n\n```java\nprotected static String validate(String config) {\n    if (StringUtils.isBlank(config) || config.contains(\"\\\\\") || config.contains(\"/\")\n        || config.contains(\"..\") || config.endsWith(\".\")) {\n        throw new IllegalArgumentException(\"Invalid config name: \" + config);\n    }\n    return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);\n}\n```\n\n### Weakness\n\nThe blacklist blocked literal `\\`, `/`, `..`, and trailing `.` but could\npotentially miss:\n\n- URL-encoded variants (`%2e%2e%2f`) if decoded after validation\n- Double-encoded sequences (`%252e%252e%252f`)\n- Unicode normalization bypasses\n- The approach relies on string matching rather than canonical path resolution\n\n### Impact\n\n- Potential read access to configuration files outside the intended config\n  directory\n- Information disclosure of sensitive configuration values\n\n## Remediation\n\nFixed in [PR #1292](https://github.com/NationalSecurityAgency/emissary/pull/1292),\nmerged into release 8.39.0.\n\nThe blacklist was replaced with an allowlist regex that only permits characters\nmatching `^[a-zA-Z0-9._-]+$`:\n\n```java\nprotected static final Pattern VALID_CONFIG_NAME = Pattern.compile(\"^[a-zA-Z0-9._-]+$\");\n\nprotected static String validate(String config) {\n    if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains(\"..\") || config.endsWith(\".\")) {\n        throw new IllegalArgumentException(\"Invalid config name: \" + config);\n    }\n    return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);\n}\n```\n\nThis ensures that any character outside the allowed set \u2014 including encoded\nslashes, percent signs, and Unicode sequences \u2014 is rejected before the config\nname reaches the filesystem.\n\nTests were added to verify that URL-encoded (`%2e%2e%2f`), double-encoded\n(`%252e%252e%252f`), and Unicode (`U+002F`) traversal attempts are blocked.\n\n## Workarounds\n\nIf upgrading is not immediately possible, deploy a reverse proxy or WAF rule\nthat rejects requests to `/api/configuration/` containing encoded path traversal\nsequences.\n\n## References\n\n- [PR #1292 \u2014 validate config name with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1292)\n- Original report: GHSA-wjqm-p579-x3ww",
  "id": "GHSA-hxf2-gm22-7vcm",
  "modified": "2026-04-08T00:12:55Z",
  "published": "2026-04-08T00:12:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35583"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NationalSecurityAgency/emissary/pull/1292"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NationalSecurityAgency/emissary"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Emissary has a Path Traversal via Blacklist Bypass in Configuration API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.