CVE-2026-50568 (GCVE-0-2026-50568)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:31 – Updated: 2026-06-10 17:31
VLAI
Title
Fission: SanitizeFilePath lexical HasPrefix bypass permits sibling-directory escape
Summary
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder's Clean handler (pkg/builder/builder.go:208) and the fetcher's Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder's shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.
Severity
CWE
- CWE-41 - Improper Resolution of Path Equivalence
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/fission/fission/security/advis… | x_refsource_CONFIRM |
| https://github.com/fission/fission/pull/3445 | x_refsource_MISC |
| https://github.com/fission/fission/pull/3446 | x_refsource_MISC |
| https://github.com/fission/fission/releases/tag/v1.25.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "fission",
"vendor": "fission",
"versions": [
{
"status": "affected",
"version": "\u003c 1.25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder\u0027s Clean handler (pkg/builder/builder.go:208) and the fetcher\u0027s Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder\u0027s shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-41",
"description": "CWE-41: Improper Resolution of Path Equivalence",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:31:49.917Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fission/fission/security/advisories/GHSA-r5jh-q2mw-gcx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fission/fission/security/advisories/GHSA-r5jh-q2mw-gcx4"
},
{
"name": "https://github.com/fission/fission/pull/3445",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fission/fission/pull/3445"
},
{
"name": "https://github.com/fission/fission/pull/3446",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fission/fission/pull/3446"
},
{
"name": "https://github.com/fission/fission/releases/tag/v1.25.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fission/fission/releases/tag/v1.25.0"
}
],
"source": {
"advisory": "GHSA-r5jh-q2mw-gcx4",
"discovery": "UNKNOWN"
},
"title": "Fission: SanitizeFilePath lexical HasPrefix bypass permits sibling-directory escape"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50568",
"datePublished": "2026-06-10T17:31:49.917Z",
"dateReserved": "2026-06-04T21:34:34.427Z",
"dateUpdated": "2026-06-10T17:31:49.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-50568\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-10T18:17:13.333\",\"lastModified\":\"2026-06-10T19:37:41.437\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder\u0027s Clean handler (pkg/builder/builder.go:208) and the fetcher\u0027s Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder\u0027s shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":3.6,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-41\"}]}],\"references\":[{\"url\":\"https://github.com/fission/fission/pull/3445\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fission/fission/pull/3446\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fission/fission/releases/tag/v1.25.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fission/fission/security/advisories/GHSA-r5jh-q2mw-gcx4\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…