CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
778 vulnerabilities reference this CWE, most recent first.
GHSA-P224-6X5R-FJPM
Vulnerability from github – Published: 2026-03-20 20:51 – Updated: 2026-03-27 20:59Description
Ory Oathkeeper is vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. /public/../admin/secrets) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation.
Preconditions
Ory Oathkeeper rules are typically configured with patterns like:
/public/<.*> → allow unauthenticated access
/admin/<.*> → require authentication
Without path normalization, a request to /public/../admin/secrets is matched against the raw path /public/../admin/secrets. This matches the /public/<.*> rule, bypassing the authentication required for /admin/secrets. After Ory Oathkeeper permits the request, the upstream server normalizes the path and serves the protected /admin/secrets resource.
Mitigation
Going forward, Ory Oathkeeper normalizes the request path before performing rule matching and before forwarding. The path /public/../admin/secrets is normalized to /admin/secrets, which correctly matches the /admin/<.*> rule and triggers authentication.
As an immediate mitigation, all requests reaching Oathkeeper should be normalized, as described in the section below. Oathkeeper should be upgraded to a fixed version as soon as possible.
Defense in depth: Cleaning paths before Oathkeeper
Even after this fix, it is good practice to normalize HTTP paths in the layers in front of Oathkeeper. This provides defense in depth and protects against similar bypasses in other components. The following examples show how to achieve this with common reverse proxies and CDNs.
Nginx
Nginx normalizes paths by default when using proxy_pass. Alternatively, use $uri (which Nginx normalizes) rather than $request_uri in your matching rules.
Envoy
Enable the normalize_path option (available since Envoy 1.14) to normalize the path components before matching and forwarding. See the Envoy docs on path normalization.
Cloudflare
Cloudflare normalizes URLs by default. In the Cloudflare dashboard, ensure Normalize incoming URLs is enabled under Rules → Normalization. See the Cloudflare URL normalization docs.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ory/oathkeeper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.40.10-0.20260320084758-8e0002140491"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33494"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:51:24Z",
"nvd_published_at": "2026-03-26T18:16:30Z",
"severity": "CRITICAL"
},
"details": "## Description\n\nOry Oathkeeper is vulnerable to an authorization bypass via HTTP path traversal. An attacker can craft a URL containing path traversal sequences (e.g. `/public/../admin/secrets`) that resolves to a protected path after normalization, but is matched against a permissive rule because the raw, un-normalized path is used during rule evaluation.\n\n## Preconditions\n\nOry Oathkeeper rules are typically configured with patterns like:\n\n```\n/public/\u003c.*\u003e \u2192 allow unauthenticated access\n/admin/\u003c.*\u003e \u2192 require authentication\n```\n\nWithout path normalization, a request to `/public/../admin/secrets` is matched against the raw path `/public/../admin/secrets`. This matches the `/public/\u003c.*\u003e` rule, bypassing the authentication required for `/admin/secrets`. After Ory Oathkeeper permits the request, the upstream server normalizes the path and serves the protected `/admin/secrets` resource.\n\n## Mitigation\n\nGoing forward, Ory Oathkeeper normalizes the request path before performing rule matching and before forwarding. The path `/public/../admin/secrets` is normalized to `/admin/secrets`, which correctly matches the `/admin/\u003c.*\u003e` rule and triggers authentication.\n\nAs an immediate mitigation, all requests reaching Oathkeeper should be normalized, as described in the section below. Oathkeeper should be upgraded to a fixed version as soon as possible.\n\n## Defense in depth: Cleaning paths before Oathkeeper\n\nEven after this fix, it is good practice to normalize HTTP paths in the layers in front of Oathkeeper. This provides defense in depth and protects against similar bypasses in other components. The following examples show how to achieve this with common reverse proxies and CDNs.\n\n### Nginx\n\nNginx normalizes paths by default when using `proxy_pass`. Alternatively, use `$uri` (which Nginx normalizes) rather than `$request_uri` in your matching rules.\n\n### Envoy\n\nEnable the `normalize_path` option (available since Envoy 1.14) to normalize the path components before matching and forwarding. See the \u003ca href=\"https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eEnvoy docs on path normalization\u003c/a\u003e.\n\n### Cloudflare\n\nCloudflare normalizes URLs by default. In the Cloudflare dashboard, ensure **Normalize incoming URLs** is enabled under **Rules \u2192 Normalization**.\nSee the \u003ca href=\"https://developers.cloudflare.com/rules/normalization/\" target=\"_blank\" rel=\"noopener noreferrer\"\u003eCloudflare URL normalization docs\u003c/a\u003e.",
"id": "GHSA-p224-6x5r-fjpm",
"modified": "2026-03-27T20:59:22Z",
"published": "2026-03-20T20:51:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-p224-6x5r-fjpm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33494"
},
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/commit/8e0002140491c592db41fa141dc6ad68f417e2b2"
},
{
"type": "PACKAGE",
"url": "https://github.com/ory/oathkeeper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ory Oathkeeper has a path traversal authorization bypass"
}
GHSA-P2J4-X5H5-FMJM
Vulnerability from github – Published: 2025-01-23 21:31 – Updated: 2025-01-23 21:31Fedora Repository 3.8.1 allows path traversal when extracting uploaded archives ("Zip Slip"). A remote, authenticated attacker can upload a specially crafted archive that will extract an arbitrary JSP file to a location that can be executed by an unauthenticated GET request. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23).
{
"affected": [],
"aliases": [
"CVE-2025-23011"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T21:15:15Z",
"severity": "HIGH"
},
"details": "Fedora Repository 3.8.1 allows path traversal when extracting uploaded archives (\"Zip Slip\"). A remote, authenticated attacker can upload a specially crafted archive that will extract an arbitrary JSP file to a location that can be executed by an unauthenticated GET request. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23).",
"id": "GHSA-p2j4-x5h5-fmjm",
"modified": "2025-01-23T21:31:52Z",
"published": "2025-01-23T21:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23011"
},
{
"type": "WEB",
"url": "https://github.com/fcrepo-exts/migration-utils"
},
{
"type": "WEB",
"url": "https://github.com/fcrepo/fcrepo/releases"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-021-01.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P3P7-9H4W-JQW2
Vulnerability from github – Published: 2026-02-05 00:31 – Updated: 2026-02-05 15:31It was possible to improperly access the parent directory of an os.Root by opening a filename ending in "../". For example, Root.Open("../") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.
{
"affected": [],
"aliases": [
"CVE-2025-22873"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T23:15:54Z",
"severity": "LOW"
},
"details": "It was possible to improperly access the parent directory of an os.Root by opening a filename ending in \"../\". For example, Root.Open(\"../\") would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent.",
"id": "GHSA-p3p7-9h4w-jqw2",
"modified": "2026-02-05T15:31:14Z",
"published": "2026-02-05T00:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22873"
},
{
"type": "WEB",
"url": "https://go.dev/cl/670036"
},
{
"type": "WEB",
"url": "https://go.dev/issue/73555"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4403"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/05/06/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P434-7834-2W5X
Vulnerability from github – Published: 2024-02-02 09:30 – Updated: 2024-02-02 09:30: Relative Path Traversal vulnerability in B&R Industrial Automation Automation Studio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automation Studio: from 4.0 through 4.12.
{
"affected": [],
"aliases": [
"CVE-2021-22281"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-02T08:15:46Z",
"severity": "MODERATE"
},
"details": ": Relative Path Traversal vulnerability in B\u0026R Industrial Automation Automation Studio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automation Studio: from 4.0 through 4.12.\n\n",
"id": "GHSA-p434-7834-2w5x",
"modified": "2024-02-02T09:30:22Z",
"published": "2024-02-02T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22281"
},
{
"type": "WEB",
"url": "https://www.br-automation.com/fileadmin/2021-11_ZipSlip_Vulnerability_in_Automation_Studio_Project_Import-b90d2f42.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P4M3-MGMM-C664
Vulnerability from github – Published: 2026-07-10 19:25 – Updated: 2026-07-10 19:25Summary
The patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the
identical root cause remains in the /assets/*path route. In publish mode (anonymous read-only HTTP endpoint,
default port 6808), an unauthenticated remote attacker can read arbitrary files inside WorkspaceDir — including
conf/conf.json (which contains the AccessAuthCode SHA256 hash, API token, and sync keys), temp/siyuan.db,
temp/blocktree.db, and siyuan.log — by double-URL-encoding .. segments.
Verified against siyuan v3.6.5:
- GET /assets/%252e%252e/%252e%252e/conf/conf.json → HTTP 200, 10349 bytes (conf.json served)
- GET /export/%252e%252e/%252e%252e/conf/conf.json → HTTP 401 (patched)
- GET /assets/%2e%2e/conf/conf.json → HTTP 404 (single-decode handled correctly)
## Vulnerable Code
Step 1 — route & first decode (kernel/server/serve.go:587-626):
The router registers GET /assets/*path for the publish listener. Gin performs one URL decoding pass on URL.Path,
so a request for /assets/%252e%252e/... yields context.Param("path") == "/%2e%2e/%2e%2e/conf/conf.json" — literal
%2e%2e strings, which path.Clean cannot collapse.
Step 2 — second decode via fallback (kernel/model/assets.go:536-563, GetAssetAbsPath):
go
p, err := getAssetAbsPath(relativePath)
if nil != err {
// fallback
decoded, e := url.PathUnescape(relativePath) // ← line 548, second decode
if nil == e {
p, err = getAssetAbsPath(decoded)
}
}
After the fallback decodes %2e%2e to .., filepath.Join(DataDir, "../../conf/conf.json") is Clean-ed to
WorkspaceDir/conf/conf.json, an existing file.
Step 3 — publish-mode access gate fall-through (kernel/model/publish_access.go:288,
CheckAbsPathAccessableByPublishAccess):
go
if !filelock.IsSubPath(util.DataDir, absPath) {
return true // ← fall-through allows anything outside DataDir but inside WorkspaceDir
}
Because the resolved file is outside DataDir (it's in WorkspaceDir), the gate returns true and
IsSensitivePath() is never invoked — .db / .log / conf/ denylists do not apply to the /assets/ route at all
(unlike the patched /export/ route, which additionally checks IsSubPath(exportBaseDir, ...)).
Step 4 — file served (http.ServeFile): the request URL.Path contains literal %2e%2e, not .., so Go's
containsDotDot guard passes and the file is sent.
## PoC
Preconditions: siyuan kernel running with publish mode enabled (conf.publish.enable = true). Publish mode is the
documented anonymous read-only endpoint for sharing notebooks.
$ curl -i "http://victim:6808/assets/%252e%252e/%252e%252e/conf/conf.json"
HTTP/1.1 200 OK
Content-Length: 10349
Content-Type: application/json
...
{"appearance":{...},"editor":{...},"system":{...},"accessAuthCode":"<sha256>","api":{"token":"<api token>"}, ...}
Compared with the patched route:
$ curl -i "http://victim:6808/export/%252e%252e/%252e%252e/conf/conf.json"
HTTP/1.1 401 Unauthorized
## Root Cause
Three independent flaws combine:
1. GetAssetAbsPath performs a second url.PathUnescape as a "compatibility" fallback, re-introducing the
double-decode primitive that the CVE-2026-41894 patch eliminated on /export/.
2. CheckAbsPathAccessableByPublishAccess returns true for any path outside DataDir, even when that path is still
inside WorkspaceDir (which contains conf/conf.json, temp/*.db, siyuan.log).
3. The IsSensitivePath() denylist applied to /export/ is not called from the /assets/ handler.
## Impact
Unauthenticated remote arbitrary file read inside WorkspaceDir. Confirmed-readable files include:
- conf/conf.json — accessAuthCode SHA256 (offline crackable), API token, S3/WebDAV sync credentials.
- temp/siyuan.db, temp/blocktree.db, temp/asset_content.db — full notebook content (SQLite).
- siyuan.log — internal paths, OS username, plugin info.
Compromise of accessAuthCode / API token escalates to authenticated kernel API access (full read/write of all
notebooks). Compromise of sync credentials escalates beyond the host.
## Fix
1. Remove the url.PathUnescape fallback in GetAssetAbsPath (assets.go:548), matching the /export/ patch.
2. In CheckAbsPathAccessableByPublishAccess, replace the IsSubPath(DataDir, ...) fall-through with an explicit
allowlist (only DataDir and its publishable subtree) and always call IsSensitivePath().
3. Apply IsSensitivePath() inside the /assets/*path handler in serve.go as defense-in-depth.
## Status
Privately reported via GitHub Security Advisory. PoC reproduced locally against v3.6.5 (publish port 6808): GET
/assets/%252e%252e/%252e%252e/conf/conf.json returned HTTP 200 / 10349 bytes.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260628153353-2d5d72223df4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54066"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T19:25:04Z",
"nvd_published_at": "2026-06-24T22:16:48Z",
"severity": "HIGH"
},
"details": "## Summary\n The patch for CVE-2026-41894 (\"Path Traversal via Double URL Encoding\") sanitized the `/export/` route but the\n **identical root cause remains in the `/assets/*path` route**. In publish mode (anonymous read-only HTTP endpoint,\n default port 6808), an unauthenticated remote attacker can read arbitrary files inside `WorkspaceDir` \u2014 including\n `conf/conf.json` (which contains the `AccessAuthCode` SHA256 hash, API token, and sync keys), `temp/siyuan.db`,\n `temp/blocktree.db`, and `siyuan.log` \u2014 by double-URL-encoding `..` segments.\n\n Verified against siyuan v3.6.5:\n - `GET /assets/%252e%252e/%252e%252e/conf/conf.json` \u2192 **HTTP 200, 10349 bytes (conf.json served)**\n - `GET /export/%252e%252e/%252e%252e/conf/conf.json` \u2192 HTTP 401 (patched)\n - `GET /assets/%2e%2e/conf/conf.json` \u2192 HTTP 404 (single-decode handled correctly)\n\n ## Vulnerable Code\n\n **Step 1 \u2014 route \u0026 first decode** (`kernel/server/serve.go:587-626`):\n The router registers `GET /assets/*path` for the publish listener. Gin performs one URL decoding pass on `URL.Path`,\n so a request for `/assets/%252e%252e/...` yields `context.Param(\"path\") == \"/%2e%2e/%2e%2e/conf/conf.json\"` \u2014 literal\n `%2e%2e` strings, which `path.Clean` cannot collapse.\n\n **Step 2 \u2014 second decode via fallback** (`kernel/model/assets.go:536-563`, `GetAssetAbsPath`):\n ```go\n p, err := getAssetAbsPath(relativePath)\n if nil != err {\n // fallback\n decoded, e := url.PathUnescape(relativePath) // \u2190 line 548, second decode\n if nil == e {\n p, err = getAssetAbsPath(decoded)\n }\n }\n ```\n After the fallback decodes `%2e%2e` to `..`, `filepath.Join(DataDir, \"../../conf/conf.json\")` is `Clean`-ed to\n `WorkspaceDir/conf/conf.json`, an existing file.\n\n **Step 3 \u2014 publish-mode access gate fall-through** (`kernel/model/publish_access.go:288`,\n `CheckAbsPathAccessableByPublishAccess`):\n ```go\n if !filelock.IsSubPath(util.DataDir, absPath) {\n return true // \u2190 fall-through allows anything outside DataDir but inside WorkspaceDir\n }\n ```\n Because the resolved file is *outside* `DataDir` (it\u0027s in `WorkspaceDir`), the gate returns `true` and\n `IsSensitivePath()` is never invoked \u2014 `.db` / `.log` / `conf/` denylists do not apply to the `/assets/` route at all\n (unlike the patched `/export/` route, which additionally checks `IsSubPath(exportBaseDir, ...)`).\n\n **Step 4 \u2014 file served** (`http.ServeFile`): the request `URL.Path` contains literal `%2e%2e`, not `..`, so Go\u0027s\n `containsDotDot` guard passes and the file is sent.\n\n ## PoC\n\n Preconditions: siyuan kernel running with publish mode enabled (`conf.publish.enable = true`). Publish mode is the\n documented anonymous read-only endpoint for sharing notebooks.\n\n ```\n $ curl -i \"http://victim:6808/assets/%252e%252e/%252e%252e/conf/conf.json\"\n HTTP/1.1 200 OK\n Content-Length: 10349\n Content-Type: application/json\n ...\n {\"appearance\":{...},\"editor\":{...},\"system\":{...},\"accessAuthCode\":\"\u003csha256\u003e\",\"api\":{\"token\":\"\u003capi token\u003e\"}, ...}\n ```\n\n Compared with the patched route:\n ```\n $ curl -i \"http://victim:6808/export/%252e%252e/%252e%252e/conf/conf.json\"\n HTTP/1.1 401 Unauthorized\n ```\n\n ## Root Cause\n Three independent flaws combine:\n 1. `GetAssetAbsPath` performs a second `url.PathUnescape` as a \"compatibility\" fallback, re-introducing the\n double-decode primitive that the CVE-2026-41894 patch eliminated on `/export/`.\n 2. `CheckAbsPathAccessableByPublishAccess` returns `true` for any path outside `DataDir`, even when that path is still\n inside `WorkspaceDir` (which contains `conf/conf.json`, `temp/*.db`, `siyuan.log`).\n 3. The `IsSensitivePath()` denylist applied to `/export/` is not called from the `/assets/` handler.\n\n ## Impact\n Unauthenticated remote arbitrary file read inside `WorkspaceDir`. Confirmed-readable files include:\n - `conf/conf.json` \u2014 `accessAuthCode` SHA256 (offline crackable), API token, S3/WebDAV sync credentials.\n - `temp/siyuan.db`, `temp/blocktree.db`, `temp/asset_content.db` \u2014 full notebook content (SQLite).\n - `siyuan.log` \u2014 internal paths, OS username, plugin info.\n\n Compromise of `accessAuthCode` / API token escalates to authenticated kernel API access (full read/write of all\n notebooks). Compromise of sync credentials escalates beyond the host.\n\n ## Fix\n 1. Remove the `url.PathUnescape` fallback in `GetAssetAbsPath` (assets.go:548), matching the `/export/` patch.\n 2. In `CheckAbsPathAccessableByPublishAccess`, replace the `IsSubPath(DataDir, ...)` fall-through with an explicit\n allowlist (only `DataDir` and its publishable subtree) and **always** call `IsSensitivePath()`.\n 3. Apply `IsSensitivePath()` inside the `/assets/*path` handler in `serve.go` as defense-in-depth.\n\n ## Status\n Privately reported via GitHub Security Advisory. PoC reproduced locally against v3.6.5 (publish port 6808): `GET\n /assets/%252e%252e/%252e%252e/conf/conf.json` returned HTTP 200 / 10349 bytes.",
"id": "GHSA-p4m3-mgmm-c664",
"modified": "2026-07-10T19:25:04Z",
"published": "2026-07-10T19:25:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-p4m3-mgmm-c664"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54066"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file\u2500read), Incomplete fix of CVE-2026-41894 "
}
GHSA-P6X3-V6G3-7557
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 18:55A vulnerability in the runs/delete-batch endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aim"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.19.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6483"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T18:55:58Z",
"nvd_published_at": "2025-03-20T10:15:32Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss.",
"id": "GHSA-p6x3-v6g3-7557",
"modified": "2025-03-21T18:55:58Z",
"published": "2025-03-20T12:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6483"
},
{
"type": "PACKAGE",
"url": "https://github.com/aimhubio/aim"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/dc45d480-e579-4af4-8603-c52ecfd5e363"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Aim Relative Path Traversal vulnerability"
}
GHSA-P7QH-5G9W-V5FR
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37A Relative Path Traversal issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The web user interface fails to prevent access to critical files that non administrative users should not have access to, which could allow an attacker to create or modify files or execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2017-13996"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-05T21:29:00Z",
"severity": "HIGH"
},
"details": "A Relative Path Traversal issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The web user interface fails to prevent access to critical files that non administrative users should not have access to, which could allow an attacker to create or modify files or execute arbitrary code.",
"id": "GHSA-p7qh-5g9w-v5fr",
"modified": "2022-05-13T01:37:42Z",
"published": "2022-05-13T01:37:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13996"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-257-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100847"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P7QV-VX32-P4GG
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 09:30ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal.
{
"affected": [],
"aliases": [
"CVE-2026-22070"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T09:16:02Z",
"severity": "HIGH"
},
"details": "ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal.",
"id": "GHSA-p7qv-vx32-p4gg",
"modified": "2026-04-30T09:30:25Z",
"published": "2026-04-30T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22070"
},
{
"type": "WEB",
"url": "https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P844-6JFP-89RQ
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32IBM AIX 7.3 and IBM VIOS 4.1.1 Perl implementation could allow a non-privileged local user to exploit a vulnerability to execute arbitrary code due to improper neutralization of pathname input.
{
"affected": [],
"aliases": [
"CVE-2025-33112"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T17:23:11Z",
"severity": "HIGH"
},
"details": "IBM AIX 7.3 and IBM VIOS 4.1.1 Perl implementation could allow a non-privileged local user to exploit a vulnerability to execute arbitrary code due to improper neutralization of pathname input.",
"id": "GHSA-p844-6jfp-89rq",
"modified": "2025-06-10T18:32:29Z",
"published": "2025-06-10T18:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33112"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7236103"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P84V-GXVW-73PF
Vulnerability from github – Published: 2025-10-14 18:00 – Updated: 2025-11-05 22:10Vulnerability Description
Vulnerability Overview
- During the artifact extraction process, the
unpack()function extracts the compressed file to a temporary directory (/etc.tmpdir) and then attempts to move its contents to/etcusing therename()system call, - However, since
/etcis an already existing system directory, therename()system call fails, making normal archive extraction impossible. - At this point, if a malicious user sets the entry name inside the
tar.gzfile to a path traversal like../../../../../etc/zipslip-poc, - The
untar()function combines paths usingfilepath.Join(dest, filepath.Clean(header.Name))without path validation, resulting intarget = "/work/input/../../../../../etc/zipslip-poc", - Ultimately, the
/etc/zipslip-pocfile is created, bypassing the normal archive extraction constraints and enabling direct file writing to system directories.
untar(): Writing Files Outside the Extraction Directory
https://github.com/argoproj/argo-workflows/blob/946a2d6b9ac3309371fe47f49ae94c33ca7d488d/workflow/executor/executor.go#L993
- Base Path:
/work/tmp(dest) — The intended extraction directory in the wait container - Malicious Entry:
../../../../../../../../../..//mainctrfs/etc/zipslip-ok.txt(header.Name) — Path traversal payload - Path Cleaning:
filepath.Clean("../../../../../../../../../..//mainctrfs/etc/zipslip-ok.txt") = /mainctrfs/etc/zipslip-ok.txt— Go’s path cleaning normalizes the traversal - Path Joining:
filepath.Join("/work/tmp", "/mainctrfs/etc/zipslip-ok.txt") = /mainctrfs/etc/zipslip-ok.txt— Absolute path overrides base directory - File Creation:
/mainctrfs/etc/zipslip-ok.txtfile is created in the wait container - Volume Mirroring: The file appears as
/etc/zipslip-ok.txtin the main container due to volume mount mirroring
PoC
PoC Description
- The user uploaded a malicious
tar.gzfile to S3 that contains path traversal entries like../../../../../../../../../..//mainctrfs/etc/zipslip-ok.txtdesigned to exploit the vulnerability. - In the Argo Workflows YAML, the artifact’s path is set to
/work/tmp, which should normally extract the archive to that intended directory. - However, due to the vulnerability in the
untar()function,filepath.Join("/work/tmp", "/mainctrfs/etc/zipslip-ok.txt")resolves to/mainctrfs/etc/zipslip-ok.txt, causing files to be created in unintended locations. - Since the wait container’s
/mainctrfs/etcand the main container’s/etcshare the same volume, files created in the wait container become visible in the main container’s/etc/directory. - Consequently, the archive that should extract to
/work/tmpexploits the Zip Slip vulnerability to create files in the/etc/directory, enabling manipulation of system configuration files.
exploit yaml
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: zipslip-
spec:
entrypoint: main
templates:
- name: main
container:
image: ubuntu:22.04
command: ["sh"]
args: ["-c", "echo 'Starting container'; sleep 3000"]
volumeMounts:
- name: etcvol
mountPath: /etc
inputs:
artifacts:
- name: evil
path: /work/tmp
archive:
tar: {}
http:
url: "https://zipslip-s3.s3.ap-northeast-2.amazonaws.com/etc-poc.tgz"
volumes:
- name: etcvol
emptyDir: {}
exploit
-
Create Zipslip
-
Upload S3
-
Create Workflow
-
Run
-
Exploit Success
```bash # Find Workflow and Pod NS=default WF=$(kubectl get wf -n "$NS" --sort-by=.metadata.creationTimestamp --no-headers | awk 'END{print $1}') POD=$(kubectl get pod -n "$NS" -l workflows.argoproj.io/workflow="$WF" --no-headers | awk 'END{print $1}') echo "NS=$NS WF=$WF POD=$POD"
# Connect Main Container kubectl exec -it -n "$NS" "$POD" -c main -- bash
# Exploit cd /etc/ ls -l cat zipslip-ok.txt ```
Impact
Container Isolation Bypass
The Zip Slip vulnerability allows attackers to write files to system directories like /etc/ within the container, potentially overwriting critical configuration files such as /etc/passwd, /etc/hosts, or /etc/crontab, which could lead to privilege escalation or persistent access within the compromised container.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-workflows/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-workflows/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62156"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-14T18:00:30Z",
"nvd_published_at": "2025-10-14T15:16:12Z",
"severity": "HIGH"
},
"details": "### **Vulnerability Description**\n\n#### Vulnerability Overview\n\n1. During the artifact extraction process, the `unpack()` function extracts the compressed file to a temporary directory (`/etc.tmpdir`) and then attempts to move its contents to `/etc` using the `rename()` system call,\n2. However, since `/etc` is an already existing system directory, the `rename()` system call fails, making normal archive extraction impossible.\n3. At this point, if a malicious user sets the entry name inside the `tar.gz` file to a path traversal like `../../../../../etc/zipslip-poc`,\n4. The `untar()` function combines paths using `filepath.Join(dest, filepath.Clean(header.Name))` without path validation, resulting in `target = \"/work/input/../../../../../etc/zipslip-poc\"`,\n5. Ultimately, the `/etc/zipslip-poc` file is created, bypassing the normal archive extraction constraints and enabling direct file writing to system directories.\n\n#### untar(): Writing Files Outside the Extraction Directory\n\nhttps://github.com/argoproj/argo-workflows/blob/946a2d6b9ac3309371fe47f49ae94c33ca7d488d/workflow/executor/executor.go#L993\n\n1. **Base Path**: `/work/tmp` (dest) \u2014 The intended extraction directory in the wait container \n2. **Malicious Entry**: `../../../../../../../../../..//mainctrfs/etc/zipslip-ok.txt` (`header.Name`) \u2014 Path traversal payload \n3. **Path Cleaning**: `filepath.Clean(\"../../../../../../../../../..//mainctrfs/etc/zipslip-ok.txt\") = /mainctrfs/etc/zipslip-ok.txt` \u2014 Go\u2019s path cleaning normalizes the traversal \n4. **Path Joining**: `filepath.Join(\"/work/tmp\", \"/mainctrfs/etc/zipslip-ok.txt\") = /mainctrfs/etc/zipslip-ok.txt` \u2014 Absolute path overrides base directory \n5. **File Creation**: `/mainctrfs/etc/zipslip-ok.txt` file is created in the wait container \n6. **Volume Mirroring**: The file appears as `/etc/zipslip-ok.txt` in the main container due to volume mount mirroring\n\n### PoC\n\n#### PoC Description\n\n1. The user uploaded a malicious `tar.gz` file to S3 that contains path traversal entries like `../../../../../../../../../..//mainctrfs/etc/zipslip-ok.txt` designed to exploit the vulnerability.\n2. In the Argo Workflows YAML, the artifact\u2019s path is set to `/work/tmp`, which should normally extract the archive to that intended directory.\n3. However, due to the vulnerability in the `untar()` function, `filepath.Join(\"/work/tmp\", \"/mainctrfs/etc/zipslip-ok.txt\")` resolves to `/mainctrfs/etc/zipslip-ok.txt`, causing files to be created in unintended locations.\n4. Since the wait container\u2019s `/mainctrfs/etc` and the main container\u2019s `/etc` share the same volume, files created in the wait container become visible in the main container\u2019s `/etc/` directory.\n5. Consequently, the archive that should extract to `/work/tmp` exploits the Zip Slip vulnerability to create files in the `/etc/` directory, enabling manipulation of system configuration files.\n\n#### exploit yaml\n\n```yaml\napiVersion: argoproj.io/v1alpha1\nkind: Workflow\nmetadata:\n generateName: zipslip-\nspec:\n entrypoint: main\n templates:\n - name: main\n container:\n image: ubuntu:22.04\n command: [\"sh\"]\n args: [\"-c\", \"echo \u0027Starting container\u0027; sleep 3000\"]\n volumeMounts:\n - name: etcvol\n mountPath: /etc\n inputs:\n artifacts:\n - name: evil\n path: /work/tmp \n archive:\n tar: {}\n http:\n url: \"https://zipslip-s3.s3.ap-northeast-2.amazonaws.com/etc-poc.tgz\"\n volumes:\n - name: etcvol\n emptyDir: {}\n```\n\n#### exploit\n\n1. Create Zipslip \n\u003cimg width=\"1300\" height=\"102\" alt=\"image (4)\" src=\"https://github.com/user-attachments/assets/74569df1-43f9-409d-b905-601bcb5998e2\" /\u003e\n\n2. Upload S3 \n\u003cimg width=\"1634\" height=\"309\" alt=\"image (5)\" src=\"https://github.com/user-attachments/assets/2bf4a90a-0f03-411d-9a31-3c7de4b399b4\" /\u003e\n\n\n3. Create Workflow \n\u003cimg width=\"1875\" height=\"865\" alt=\"image (1) (1)\" src=\"https://github.com/user-attachments/assets/fd01a4a7-c400-47a2-a8f0-427b0feabc7f\" /\u003e\n\n\n4. Run \n\u003cimg width=\"1799\" height=\"862\" alt=\"image (2)\" src=\"https://github.com/user-attachments/assets/18a68919-1529-4ca0-9ed4-b71e271ae38f\" /\u003e\n\n\n5. Exploit Success\n\u003cimg width=\"1363\" height=\"440\" alt=\"image (3)\" src=\"https://github.com/user-attachments/assets/ac0e834d-4734-4771-9d24-d6fd1ce5d77f\" /\u003e\n\n ```bash\n # Find Workflow and Pod\n NS=default\n WF=$(kubectl get wf -n \"$NS\" --sort-by=.metadata.creationTimestamp --no-headers | awk \u0027END{print $1}\u0027)\n POD=$(kubectl get pod -n \"$NS\" -l workflows.argoproj.io/workflow=\"$WF\" --no-headers | awk \u0027END{print $1}\u0027)\n echo \"NS=$NS WF=$WF POD=$POD\"\n \n # Connect Main Container\n kubectl exec -it -n \"$NS\" \"$POD\" -c main -- bash\n \n # Exploit\n cd /etc/\n ls -l\n cat zipslip-ok.txt\n ```\n\n### Impact\n\n#### Container Isolation Bypass\n\nThe Zip Slip vulnerability allows attackers to write files to system directories like `/etc/` within the container, potentially overwriting critical configuration files such as `/etc/passwd`, `/etc/hosts`, or `/etc/crontab`, which could lead to privilege escalation or persistent access within the compromised container.",
"id": "GHSA-p84v-gxvw-73pf",
"modified": "2025-11-05T22:10:23Z",
"published": "2025-10-14T18:00:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p84v-gxvw-73pf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62156"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-workflows/commit/5659ad9b641fcf52c04ed594cd6493f9170f6011"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-workflows/commit/9f6bc5d236cd1b24d607943384511d71ad17a4c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-workflows"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-workflows/blob/946a2d6b9ac3309371fe47f49ae94c33ca7d488d/workflow/executor/executor.go#L993"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Argo Workflow has a Zipslip Vulnerability"
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.