CWE-23
AllowedRelative Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
777 vulnerabilities reference this CWE, most recent first.
GHSA-W974-55HM-QP53
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31Windows Hyper-V Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30010"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T17:16:40Z",
"severity": "HIGH"
},
"details": "Windows Hyper-V Remote Code Execution Vulnerability",
"id": "GHSA-w974-55hm-qp53",
"modified": "2024-05-14T18:31:03Z",
"published": "2024-05-14T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30010"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WMWF-9CCG-FFF5
Vulnerability from github – Published: 2025-10-27 18:31 – Updated: 2026-05-13 16:23The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.
The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.45"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-M11"
},
{
"fixed": "9.0.109"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.6"
},
{
"last_affected": "8.5.100"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.45"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-M11"
},
{
"fixed": "9.0.109"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.6"
},
{
"last_affected": "8.5.100"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.45"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-M11"
},
{
"fixed": "9.0.109"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.6"
},
{
"last_affected": "8.5.100"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55752"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-28T17:55:41Z",
"nvd_published_at": "2025-10-27T18:15:42Z",
"severity": "HIGH"
},
"details": "The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.\n\nThe following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.",
"id": "GHSA-wmwf-9ccg-fff5",
"modified": "2026-05-13T16:23:35Z",
"published": "2025-10-27T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55752"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/130d36d8492ef9e4eb22952c17c92423cb35fd06"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/b5042622b8b78340ae65403c55dcb9c7416924df"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-55752-detect-apache-tomcat-vulnerability"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-55752-mitigate-apache-tomcat-vulnerability"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/27/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Tomcat Vulnerable to Relative Path Traversal"
}
GHSA-WP9X-WJHC-28MV
Vulnerability from github – Published: 2026-07-02 18:36 – Updated: 2026-07-02 18:36A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.
{
"affected": [],
"aliases": [
"CVE-2026-44941"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T16:16:30Z",
"severity": "HIGH"
},
"details": "A relative path traversal in the \"keyhint\" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.",
"id": "GHSA-wp9x-wjhc-28mv",
"modified": "2026-07-02T18:36:28Z",
"published": "2026-07-02T18:36:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44941"
},
{
"type": "WEB",
"url": "https://github.com/openSUSE/libzypp/commit/294b1bad442d089ca671c5c03adc8031e3b29e04"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1267426"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WQJP-F422-GR32
Vulnerability from github – Published: 2025-03-14 18:30 – Updated: 2025-03-14 18:30The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application.
{
"affected": [],
"aliases": [
"CVE-2024-12019"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-14T18:15:27Z",
"severity": "HIGH"
},
"details": "The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with \u2018read\u2019 and \u2018download\u2019 privileges on at least one existing document in the application is required to exploit the vulnerability.\u00a0Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application.",
"id": "GHSA-wqjp-f422-gr32",
"modified": "2025-03-14T18:30:51Z",
"published": "2025-03-14T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12019"
},
{
"type": "WEB",
"url": "https://www.blackduck.com/blog/cyrc-advisory-logicaldoc.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WRV4-VRJR-M5JR
Vulnerability from github – Published: 2023-07-10 03:30 – Updated: 2024-04-04 05:51SmartBPM.NET has a vulnerability of using hard-coded authentication key. An unauthenticated remote attacker can exploit this vulnerability to access system with regular user privilege to read application data, and execute submission and approval processes.
{
"affected": [],
"aliases": [
"CVE-2023-37288"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-10T02:15:45Z",
"severity": "HIGH"
},
"details": "SmartBPM.NET has a vulnerability of using hard-coded authentication key. An unauthenticated remote attacker can exploit this vulnerability to access system with regular user privilege to read application data, and execute submission and approval processes.",
"id": "GHSA-wrv4-vrjr-m5jr",
"modified": "2024-04-04T05:51:07Z",
"published": "2023-07-10T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37288"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7223-af8f8-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WVQJ-VJ23-9CF7
Vulnerability from github – Published: 2026-07-14 18:31 – Updated: 2026-07-14 18:31Relative path traversal in Windows PowerShell allows an authorized attacker to execute code over a network.
{
"affected": [],
"aliases": [
"CVE-2026-40400"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:16:47Z",
"severity": "HIGH"
},
"details": "Relative path traversal in Windows PowerShell allows an authorized attacker to execute code over a network.",
"id": "GHSA-wvqj-vj23-9cf7",
"modified": "2026-07-14T18:31:57Z",
"published": "2026-07-14T18:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40400"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40400"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWF8-G67R-V78Q
Vulnerability from github – Published: 2023-02-26 15:30 – Updated: 2023-03-03 06:30A vulnerability was found in MuYuCMS 2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin.php/accessory/filesdel.html. The manipulation of the argument filedelur leads to relative path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-221804.
{
"affected": [],
"aliases": [
"CVE-2023-1045"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-26T13:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in MuYuCMS 2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin.php/accessory/filesdel.html. The manipulation of the argument filedelur leads to relative path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-221804.",
"id": "GHSA-wwf8-g67r-v78q",
"modified": "2023-03-03T06:30:18Z",
"published": "2023-02-26T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1045"
},
{
"type": "WEB",
"url": "https://github.com/MuYuCMS/MuYuCMS/issues/6"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.221804"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.221804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X275-H9J4-7P4H
Vulnerability from github – Published: 2025-05-13 20:02 – Updated: 2025-05-13 20:02TL;DR
This vulnerability affects all Kirby sites that use the collection() helper or $kirby->collection() method with a dynamic collection name (such as a collection name that depends on request or user data).
Sites that only use fixed calls to the collection() helper/$kirby->collection() method (i.e. calls with a simple string for the collection name) are not affected.
Introduction
Kirby's collection() helper and $kirby->collection() method (in the following abbreviated to the collection() helper) allow to load PHP logic files that are normally stored in the site/collections folder or registered by plugins through the collections plugin extension.
If the collection() helper is called with an arbitrary collection name, Kirby first checks if a file with this name exists in the collections root (which defaults to site/collections).
This logic was vulnerable against path traversal attacks. By using special elements such as .. and / separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the ../ sequence, which in most modern operating systems is interpreted as the parent directory of the current location.
Because Kirby's collection() helper did not protect against path traversal, the provided collection name could include special sequences that would cause Kirby to look outside of the configured collections root and access arbitrary files.
Impact
The missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed.
Such attacks first require an attack vector in the site code that is caused by dynamic collection names, such as collection('tags-' . get('tags')). It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing.
In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server, for example:
- it could allow the attacker to build a map of the server's file system for subsequent attacks,
- it could allow access to configuration files that may contain sensitive information like security tokens or
- it could cause the unintended execution of PHP scripts.
Patches
The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2 and Kirby 4.7.1. Please update to one of these or a later version to fix the vulnerability.
In all of the mentioned releases, we have added a check for the collection path that ensures that the resulting path is contained within the configured collections root. Collection paths that point outside of the collections root will not be loaded.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.10.0"
},
{
"fixed": "3.10.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-31493"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-13T20:02:17Z",
"nvd_published_at": "2025-05-13T16:15:30Z",
"severity": "MODERATE"
},
"details": "### TL;DR\n\nThis vulnerability affects all Kirby sites that use the `collection()` helper or `$kirby-\u003ecollection()` method with a dynamic collection name (such as a collection name that depends on request or user data).\n\nSites that only use fixed calls to the `collection()` helper/`$kirby-\u003ecollection()` method (i.e. calls with a simple string for the collection name) are *not* affected.\n\n----\n\n### Introduction\n\nKirby\u0027s `collection()` helper and `$kirby-\u003ecollection()` method (in the following abbreviated to the `collection()` helper) allow to load PHP logic files that are normally stored in the `site/collections` folder or registered by plugins through the `collections` plugin extension.\n\nIf the `collection()` helper is called with an arbitrary collection name, Kirby first checks if a file with this name exists in the collections root (which defaults to `site/collections`).\n\nThis logic was vulnerable against path traversal attacks. By using special elements such as `..` and `/` separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the `../` sequence, which in most modern operating systems is interpreted as the parent directory of the current location.\n\nBecause Kirby\u0027s `collection()` helper did not protect against path traversal, the provided collection name could include special sequences that would cause Kirby to look outside of the configured collections root and access arbitrary files.\n\n### Impact\n\nThe missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed.\n\nSuch attacks first require an attack vector in the site code that is caused by dynamic collection names, such as `collection(\u0027tags-\u0027 . get(\u0027tags\u0027))`. It generally also requires knowledge of the site structure and the server\u0027s file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing.\n\nIn a vulnerable setup, this could cause damage to the confidentiality and integrity of the server, for example:\n\n- it could allow the attacker to build a map of the server\u0027s file system for subsequent attacks,\n- it could allow access to configuration files that may contain sensitive information like security tokens or\n- it could cause the unintended execution of PHP scripts.\n\n### Patches\n\nThe problem has been patched in [Kirby 3.9.8.3](https://github.com/getkirby/kirby/releases/tag/3.9.8.3), [Kirby 3.10.1.2](https://github.com/getkirby/kirby/releases/tag/3.10.1.2) and [Kirby 4.7.1](https://github.com/getkirby/kirby/releases/tag/4.7.1). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have added a check for the collection path that ensures that the resulting path is contained within the configured collections root. Collection paths that point outside of the collections root will not be loaded.",
"id": "GHSA-x275-h9j4-7p4h",
"modified": "2025-05-13T20:02:17Z",
"published": "2025-05-13T20:02:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-x275-h9j4-7p4h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31493"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/95a51480a426a8ed0df799cc017403be9b987ced"
},
{
"type": "PACKAGE",
"url": "https://github.com/getkirby/kirby"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.10.1.2"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.9.8.3"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/4.7.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Kirby vulnerable to path traversal of collection names during file system lookup"
}
GHSA-X2HR-HC3F-WJ3X
Vulnerability from github – Published: 2025-10-24 00:30 – Updated: 2025-10-24 00:30A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.
{
"affected": [],
"aliases": [
"CVE-2025-60023"
],
"database_specific": {
"cwe_ids": [
"CWE-23"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T23:15:37Z",
"severity": "MODERATE"
},
"details": "A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.",
"id": "GHSA-x2hr-hc3f-wj3x",
"modified": "2025-10-24T00:30:53Z",
"published": "2025-10-24T00:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60023"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
},
{
"type": "WEB",
"url": "https://support.automationdirect.com/docs/securityconsiderations.pdf"
},
{
"type": "WEB",
"url": "https://www.automationdirect.com/support/software-downloads"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X3H8-62X9-952G
Vulnerability from github – Published: 2025-11-19 19:43 – Updated: 2025-11-19 19:43Summary
A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system.
Details
- Title: Arbitrary Local File Read in Astro Development Image Endpoint
- Type: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Component:
/packages/astro/src/assets/endpoint/node.ts - Affected Versions: Astro v5.x development builds (confirmed v5.13.3)
- Attack Vector: Network (HTTP GET request)
- Authentication Required: None
The vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an href parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path validation, allowing attackers to specify absolute file paths.
Vulnerable Code Location: packages/astro/src/assets/endpoint/node.ts
// Vulnerable code in development mode
if (import.meta.env.DEV) {
fileUrl = pathToFileURL(removeQueryString(replaceFileSystemReferences(src)));
} else {
// Production has proper path validation
// ... security checks omitted in dev mode
}
The development branch bypasses the security checks that exist in the production code path, which validates that file paths are within the allowed assets directory.
PoC
Attack Prerequisites
- Astro development server must be running (
astro dev) - The
/_imageendpoint must be accessible to the attacker - Target image files must be readable by the Node.js process
Exploit Steps
-
Start Astro Development Server:
bash astro dev # Typically runs on http://localhost:4321 -
Craft Malicious Request:
http GET /_image?href=/[ABSOLUTE_PATH_TO_IMAGE]&w=100&h=100&f=png HTTP/1.1 Host: localhost:4321 -
Example Attack:
bash curl "http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg&w=100&h=100&f=png" -o stolen.png
Demonstration Results
Test Environment: macOS with Astro v5.13.3
Successful Exploitation:
- Target: /System/Library/Image Capture/Automatic Tasks/MakePDF.app/Contents/Resources/0blank.jpg
- Response: HTTP 200 OK, Content-Type: image/png
- Exfiltration: 303 bytes (100x100 PNG)
- File Created: stolen-image.png containing processed system image
Attack Payload:
http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg&w=100&h=100&f=png
Server Response:
Status: 200 OK
Content-Type: image/png
Content-Length: 303
Impact
Confidentiality Impact: HIGH
- Scope: Any image file readable by the Node.js process
- Exfiltration Method: Complete file contents via HTTP response (transformed to PNG)
Integrity Impact: NONE
- The vulnerability only allows reading files, not modification
Availability Impact: NONE
- No direct impact on system availability
- Potential for resource exhaustion through repeated large image requests
Affected Components
Primary Component
- File:
packages/astro/src/assets/endpoint/node.ts - Function:
loadLocalImage() - Lines: Development mode branch (~25-35)
Secondary Components
- File:
packages/astro/src/assets/endpoint/generic.ts - Impact: Uses different code path, not directly vulnerable
- Note: Implements proper remote allowlist validation
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "astro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64757"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-19T19:43:05Z",
"nvd_published_at": "2025-11-19T17:15:52Z",
"severity": "LOW"
},
"details": "### Summary\nA vulnerability has been identified in the Astro framework\u0027s development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system.\n\n### Details\n- **Title**: Arbitrary Local File Read in Astro Development Image Endpoint\n- **Type**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\n- **Component**: `/packages/astro/src/assets/endpoint/node.ts`\n- **Affected Versions**: Astro v5.x development builds (confirmed v5.13.3)\n- **Attack Vector**: Network (HTTP GET request)\n- **Authentication Required**: None\n\nThe vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an `href` parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path validation, allowing attackers to specify absolute file paths.\n\n**Vulnerable Code Location**: `packages/astro/src/assets/endpoint/node.ts`\n\n```typescript\n// Vulnerable code in development mode\nif (import.meta.env.DEV) {\n fileUrl = pathToFileURL(removeQueryString(replaceFileSystemReferences(src)));\n} else {\n // Production has proper path validation\n // ... security checks omitted in dev mode\n}\n```\n\nThe development branch bypasses the security checks that exist in the production code path, which validates that file paths are within the allowed assets directory.\n\n### PoC\n#### Attack Prerequisites\n1. Astro development server must be running (`astro dev`)\n2. The `/_image` endpoint must be accessible to the attacker\n3. Target image files must be readable by the Node.js process\n\n#### Exploit Steps\n\n1. Start Astro Development Server:\n ```bash\n astro dev # Typically runs on http://localhost:4321\n ```\n\n2. Craft Malicious Request:\n ```http\n GET /_image?href=/[ABSOLUTE_PATH_TO_IMAGE]\u0026w=100\u0026h=100\u0026f=png HTTP/1.1\n Host: localhost:4321\n ```\n\n3. Example Attack:\n ```bash\n curl \"http://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg\u0026w=100\u0026h=100\u0026f=png\" -o stolen.png\n ```\n\n#### Demonstration Results\n\n**Test Environment**: macOS with Astro v5.13.3\n\n**Successful Exploitation**:\n- Target: `/System/Library/Image Capture/Automatic Tasks/MakePDF.app/Contents/Resources/0blank.jpg`\n- Response: HTTP 200 OK, Content-Type: image/png\n- Exfiltration: 303 bytes (100x100 PNG)\n- File Created: `stolen-image.png` containing processed system image\n\n**Attack Payload**:\n```\nhttp://localhost:4321/_image?href=/%2FSystem%2FLibrary%2FImage%20Capture%2FAutomatic%20Tasks%2FMakePDF.app%2FContents%2FResources%2F0blank.jpg\u0026w=100\u0026h=100\u0026f=png\n```\n\n**Server Response**:\n```\nStatus: 200 OK\nContent-Type: image/png\nContent-Length: 303\n```\n\n### Impact\n\n#### Confidentiality Impact: HIGH\n- **Scope**: Any image file readable by the Node.js process\n- **Exfiltration Method**: Complete file contents via HTTP response (transformed to PNG)\n\n#### Integrity Impact: NONE\n- The vulnerability only allows reading files, not modification\n\n#### Availability Impact: NONE \n- No direct impact on system availability\n- Potential for resource exhaustion through repeated large image requests\n\n### Affected Components\n\n#### Primary Component\n- **File**: `packages/astro/src/assets/endpoint/node.ts`\n- **Function**: `loadLocalImage()`\n- **Lines**: Development mode branch (~25-35)\n\n#### Secondary Components \n- **File**: `packages/astro/src/assets/endpoint/generic.ts`\n- **Impact**: Uses different code path, not directly vulnerable\n- **Note**: Implements proper remote allowlist validation",
"id": "GHSA-x3h8-62x9-952g",
"modified": "2025-11-19T19:43:05Z",
"published": "2025-11-19T19:43:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64757"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Astro Development Server has Arbitrary Local File Read"
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Strategy: Input Validation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.