Common Weakness Enumeration

CWE-23

Allowed

Relative Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

778 vulnerabilities reference this CWE, most recent first.

GHSA-XHJH-M9VH-W983

Vulnerability from github – Published: 2022-05-17 05:16 – Updated: 2025-07-07 21:31
VLAI
Details

Directory traversal vulnerability in the web server in SpecView 2.5 build 853 and earlier allows remote attackers to read arbitrary files via a ... (dot dot dot) in a URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-5972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-01-17T16:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Directory traversal vulnerability in the web server in SpecView 2.5 build 853 and earlier allows remote attackers to read arbitrary files via a ... (dot dot dot) in a URI.",
  "id": "GHSA-xhjh-m9vh-w983",
  "modified": "2025-07-07T21:31:21Z",
  "published": "2022-05-17T05:16:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5972"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-13-011-02"
    },
    {
      "type": "WEB",
      "url": "http://aluigi.altervista.org/adv/specview_1-adv.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/control_systems/pdf/ICSA-13-011-02.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XMPQ-X22F-7JG3

Vulnerability from github – Published: 2024-10-02 18:31 – Updated: 2024-10-02 18:31
VLAI
Details

A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with low privileges to execute arbitrary code on an affected device.

This vulnerability is due to improper path validation. An attacker could exploit this vulnerability by using the Secure Copy Protocol (SCP) to upload malicious code to an affected device using path traversal techniques. A successful exploit could allow the attacker to execute arbitrary code in a specific container with the privileges of root.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-02T17:15:16Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with low privileges to execute arbitrary code on an affected device.\n\nThis vulnerability is due to improper path validation. An attacker could exploit this vulnerability by using the Secure Copy Protocol (SCP) to upload malicious code to an affected device using path traversal techniques. A successful exploit could allow the attacker to execute arbitrary\u0026nbsp;code in a specific container with the privileges of root.",
  "id": "GHSA-xmpq-x22f-7jg3",
  "modified": "2024-10-02T18:31:33Z",
  "published": "2024-10-02T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20449"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndfc-ptrce-BUSHLbp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPHH-5V4R-R3RX

Vulnerability from github – Published: 2025-12-30 19:25 – Updated: 2025-12-30 19:25
VLAI
Summary
PsiTransfer has Zip Slip Path Traversal via TAR Archive Download
Details

Summary

A Zip Slip vulnerability in PsiTransfer allows an unauthenticated attacker to upload files with path traversal sequences in the filename (e.g. ../../../.ssh/authorized_keys). When a victim downloads the bucket as a .tar.gz archive and extracts it, malicious files are written outside the intended directory, potentially leading to RCE.

Details

The vulnerability exists in the archive download functionality in lib/endpoints.js where user controlled metadata.name is used directly without sanitization when creating TAR archive entries.

lib/endpoints.js:275

const entry = pack.entry({ name: info.metadata.name, size: info.size });
lib/endpoints.js:372
assert(meta.name, 'tus meta prop missing: name');

PoC

I. Upload file with malicious filename (no authentication required).

MALICIOUS_NAME=$(echo -n "../../../tmp/dp.txt" | base64)
SID=$(echo -n "evil" | base64)
RETENTION=$(echo -n "3600" | base64)

curl -X POST http://TARGET:3000/files \
  -H "Tus-Resumable: 1.0.0" \
  -H "Upload-Length: 15" \
  -H "Upload-Metadata: name ${MALICIOUS_NAME},sid ${SID},retention ${RETENTION}"

II. Complete upload with PATCH

curl -X PATCH "http://TARGET:3000/files/evil++<UUID>" \
  -H "Tus-Resumable: 1.0.0" \
  -H "Upload-Offset: 0" \
  -H "Content-Type: application/offset+octet-stream" \
  -d "MALICIOUS_CONTENT"

III. Victim downloads and extracts TAR

curl "http://TARGET:3000/files/evil++<HASH>.tar.gz" -o files.tar.gz
tar -tzf files.tar.gz

Impact

Arbitrary File Write: Attacker can write files anywhere on victim's filesystem when they extract the archive. RCE: By targeting ~/.bashrc, ~/.ssh/authorized_keys, cron directories etc... No Authentication Required: Default configuration has uploadPass: false. Social Engineering Vector: Attacker sends malicious download link to victim.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "psitransfer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-30T19:25:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA Zip Slip vulnerability in PsiTransfer allows an unauthenticated attacker to upload files with path traversal sequences in the filename (e.g. `../../../.ssh/authorized_keys`). When a victim downloads the bucket as a **.tar.gz** archive and extracts it, malicious files are written outside the intended directory, potentially leading to RCE.\n\n### Details\n\nThe vulnerability exists in the archive download functionality in **lib/endpoints.js** where user controlled metadata.name is used directly without sanitization when creating TAR archive entries.\n\n```\nlib/endpoints.js:275\n\nconst entry = pack.entry({ name: info.metadata.name, size: info.size });\n```\n\n```\nlib/endpoints.js:372\nassert(meta.name, \u0027tus meta prop missing: name\u0027);\n```\n\n### PoC\n\nI. Upload file with malicious filename (no authentication required).\n\n```\nMALICIOUS_NAME=$(echo -n \"../../../tmp/dp.txt\" | base64)\nSID=$(echo -n \"evil\" | base64)\nRETENTION=$(echo -n \"3600\" | base64)\n\ncurl -X POST http://TARGET:3000/files \\\n  -H \"Tus-Resumable: 1.0.0\" \\\n  -H \"Upload-Length: 15\" \\\n  -H \"Upload-Metadata: name ${MALICIOUS_NAME},sid ${SID},retention ${RETENTION}\"\n```\n\nII. Complete upload with PATCH\n\n```\ncurl -X PATCH \"http://TARGET:3000/files/evil++\u003cUUID\u003e\" \\\n  -H \"Tus-Resumable: 1.0.0\" \\\n  -H \"Upload-Offset: 0\" \\\n  -H \"Content-Type: application/offset+octet-stream\" \\\n  -d \"MALICIOUS_CONTENT\"\n```\n  \nIII. Victim downloads and extracts TAR\n\n```\ncurl \"http://TARGET:3000/files/evil++\u003cHASH\u003e.tar.gz\" -o files.tar.gz\ntar -tzf files.tar.gz\n```\n\n### Impact\n\nArbitrary File Write: Attacker can write files anywhere on victim\u0027s filesystem when they extract the archive.\nRCE: By targeting ~/.bashrc, ~/.ssh/authorized_keys, cron directories etc...\nNo Authentication Required: Default configuration has **uploadPass: false**.\nSocial Engineering Vector: Attacker sends malicious download link to victim.",
  "id": "GHSA-xphh-5v4r-r3rx",
  "modified": "2025-12-30T19:25:04Z",
  "published": "2025-12-30T19:25:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-xphh-5v4r-r3rx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/psi-4ward/psitransfer/commit/6c71bc0b8afa1ffa7aabd6c5fb28677651fd57b6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/psi-4ward/psitransfer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PsiTransfer has Zip Slip Path Traversal via TAR Archive Download"
}

GHSA-XPQM-WM3M-F34H

Vulnerability from github – Published: 2026-01-26 21:02 – Updated: 2026-01-29 03:23
VLAI
Summary
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Details

Summary

A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of node_modules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact.

Details

The vulnerability exists in the bin name validation and normalization logic:

1. Validation Bypass (pkg-manager/package-bins/src/index.ts)

The filter allows any bin name starting with @ to pass through without validation:

.filter((commandName) =>
  encodeURIComponent(commandName) === commandName ||
  commandName === '' ||
  commandName[0] === '@'  // <-- Bypasses validation
)

2. Incomplete Normalization (pkg-manager/package-bins/src/index.ts)

function normalizeBinName (name: string): string {
  return name[0] === '@' ? name.slice(name.indexOf('/') + 1) : name
}
// Input:  @scope/../../evil
// Output: ../../evil  <-- Path traversal preserved!

3. Exploitation (pkg-manager/link-bins/src/index.ts:288)

The normalized name is used directly in path.join() without validation.

PoC

  1. Create a malicious package:
{
  "name": "malicious-pkg",
  "version": "1.0.0",
  "bin": {
    "@scope/../../.npmrc": "./malicious.js"
  }
}
  1. Install the package:
pnpm add /path/to/malicious-pkg
  1. Observe .npmrc created in project root (outside node_modules/.bin).

Impact

  • All pnpm users who install npm packages
  • CI/CD pipelines using pnpm
  • Can overwrite config files, scripts, or other sensitive files

Verified on pnpm main @ commit 5a0ed1d45.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pnpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.28.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T21:02:39Z",
    "nvd_published_at": "2026-01-26T22:15:56Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA path traversal vulnerability in pnpm\u0027s bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact.\n\n### Details\nThe vulnerability exists in the bin name validation and normalization logic:\n\n**1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)**\n\nThe filter allows any bin name starting with `@` to pass through without validation:\n\n```typescript\n.filter((commandName) =\u003e\n  encodeURIComponent(commandName) === commandName ||\n  commandName === \u0027\u0027 ||\n  commandName[0] === \u0027@\u0027  // \u003c-- Bypasses validation\n)\n```\n\n**2. Incomplete Normalization (`pkg-manager/package-bins/src/index.ts`)**\n\n```typescript\nfunction normalizeBinName (name: string): string {\n  return name[0] === \u0027@\u0027 ? name.slice(name.indexOf(\u0027/\u0027) + 1) : name\n}\n// Input:  @scope/../../evil\n// Output: ../../evil  \u003c-- Path traversal preserved!\n```\n\n**3. Exploitation (`pkg-manager/link-bins/src/index.ts:288`)**\n\nThe normalized name is used directly in `path.join()` without validation.\n\n### PoC\n1. Create a malicious package:\n```json\n{\n  \"name\": \"malicious-pkg\",\n  \"version\": \"1.0.0\",\n  \"bin\": {\n    \"@scope/../../.npmrc\": \"./malicious.js\"\n  }\n}\n```\n\n2. Install the package:\n```bash\npnpm add /path/to/malicious-pkg\n```\n\n3. Observe `.npmrc` created in project root (outside node_modules/.bin).\n\n### Impact\n- All pnpm users who install npm packages\n- CI/CD pipelines using pnpm\n- Can overwrite config files, scripts, or other sensitive files\n\nVerified on pnpm main @ commit 5a0ed1d45.",
  "id": "GHSA-xpqm-wm3m-f34h",
  "modified": "2026-01-29T03:23:11Z",
  "published": "2026-01-26T21:02:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pnpm/pnpm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin"
}

GHSA-XQ3R-2QV5-VQQM

Vulnerability from github – Published: 2026-05-26 17:16 – Updated: 2026-05-26 17:16
VLAI
Summary
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Details

Impact

It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false.

This can apparently be reproduced on Tomcat instances.

Patches

This has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17.

Workarounds

There is no known workaround, other than upgrading XWiki.

References

  • https://jira.xwiki.org/browse/XCOMMONS-3547
  • https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

The vulnerability was reported by Michał Kołek.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-classloader-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2-milestone-2"
            },
            {
              "fixed": "16.10.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-classloader-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-classloader-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.5.0"
            },
            {
              "fixed": "17.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.commons:xwiki-commons-classloader-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "18.0.0-rc-1"
            },
            {
              "fixed": "18.1.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T17:16:40Z",
    "nvd_published_at": "2026-05-20T20:16:36Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIt\u0027s possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg\u0026minify=false`.\n\nThis can apparently be reproduced on Tomcat instances.\n\n### Patches\n\nThis has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9, 16.10.17.\n\n### Workarounds\n\nThere is no known workaround, other than upgrading XWiki.\n\n### References\n\n* https://jira.xwiki.org/browse/XCOMMONS-3547\n* https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThe vulnerability was reported by Micha\u0142 Ko\u0142ek.",
  "id": "GHSA-xq3r-2qv5-vqqm",
  "modified": "2026-05-26T17:16:40Z",
  "published": "2026-05-26T17:16:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23734"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-commons"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XCOMMONS-3547"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash"
}

GHSA-XQ4J-X39Q-XHQM

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-06-30 03:35
VLAI
Details

A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T17:25:57Z",
    "severity": "HIGH"
  },
  "details": "A zip-slip path traversal vulnerability in Spring Data Geode\u0027s import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.",
  "id": "GHSA-xq4j-x39q-xhqm",
  "modified": "2026-06-30T03:35:37Z",
  "published": "2026-02-20T18:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2818"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-2818"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441384"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2818.json"
    },
    {
      "type": "WEB",
      "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-2818"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRQC-7XGX-C9VH

Vulnerability from github – Published: 2025-12-09 17:17 – Updated: 2025-12-20 05:44
VLAI
Summary
RCE via ZipSlip and symbolic links in argoproj/argo-workflows
Details

Summary

The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links.

Details

The untar code that handles symbolic links in archives is unsafe. Concretely, the computation of the link's target and the subsequent check are flawed: https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037

PoC

  1. Create a malicious archive containing two files: a symbolik link with path "./work/foo" and target "/etc", and a normal text file with path "./work/foo/hostname".
  2. Deploy a workflow like the one in https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p84v-gxvw-73pf with the malicious archive mounted at /work/tmp.
  3. Submit the workflow and wait for its execution.
  4. Connect to the corresponding pod and observe that the file "/etc/hostname" was altered by the untar operation performed on the malicious archive. The attacker can hence alter arbitrary files in this way.

Impact

The attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which will be executed at the pod's start.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-workflows/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-workflows/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-workflows"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.5.3-rc4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23",
      "CWE-59",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-09T17:17:22Z",
    "nvd_published_at": "2025-12-09T21:16:00Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links.\n\n### Details\nThe untar code that handles symbolic links in archives is unsafe. Concretely, the computation of the link\u0027s target and the subsequent check are flawed: \nhttps://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037\n\n### PoC\n1. Create a malicious archive containing two files: a symbolik link with path \"./work/foo\" and target \"/etc\", and a normal text file with path \"./work/foo/hostname\".\n2. Deploy a workflow like the one in https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p84v-gxvw-73pf with the malicious archive mounted at /work/tmp.\n3. Submit the workflow and wait for its execution. \n4. Connect to the corresponding pod and observe that the file \"/etc/hostname\" was altered by the untar operation performed on the malicious archive. The attacker can hence alter arbitrary files in this way. \n\n### Impact\nThe attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which will be executed at the pod\u0027s start.",
  "id": "GHSA-xrqc-7xgx-c9vh",
  "modified": "2025-12-20T05:44:32Z",
  "published": "2025-12-09T17:17:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66626"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p84v-gxvw-73pf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-workflows"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": " RCE via ZipSlip and symbolic links in argoproj/argo-workflows"
}

GHSA-XX9M-2FC7-MHX8

Vulnerability from github – Published: 2025-01-14 15:30 – Updated: 2025-01-14 15:30
VLAI
Details

A relative path traversal in Fortinet FortiRecorder [CWE-23] version 7.2.0 through 7.2.1 and before 7.0.4 allows a privileged attacker to read files from the underlying filesystem via crafted HTTP or HTTPs requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-23"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T14:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A relative path traversal in Fortinet FortiRecorder [CWE-23] version 7.2.0 through 7.2.1 and before 7.0.4 allows a privileged attacker to read files from the underlying filesystem via crafted HTTP or HTTPs requests.",
  "id": "GHSA-xx9m-2fc7-mhx8",
  "modified": "2025-01-14T15:30:53Z",
  "published": "2025-01-14T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46664"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-310"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20.1
Implementation

Strategy: Input Validation

  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
  • realpath() in C
  • getCanonicalPath() in Java
  • GetFullPath() in ASP.NET
  • realpath() or abs_path() in Perl
  • realpath() in PHP
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-139: Relative Path Traversal

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.