CWE-24
AllowedPath Traversal: '../filedir'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
187 vulnerabilities reference this CWE, most recent first.
GHSA-4WJ3-6RQ6-HRW7
Vulnerability from github – Published: 2023-08-05 21:30 – Updated: 2023-08-05 21:30A vulnerability classified as problematic was found in Chengdu Flash Flood Disaster Monitoring and Warning System 2.0. This vulnerability affects unknown code of the file \Service\FileDownload.ashx. The manipulation of the argument Files leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-236206 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-4171"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-05T21:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in Chengdu Flash Flood Disaster Monitoring and Warning System 2.0. This vulnerability affects unknown code of the file \\Service\\FileDownload.ashx. The manipulation of the argument Files leads to path traversal: \u0027../filedir\u0027. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-236206 is the identifier assigned to this vulnerability.",
"id": "GHSA-4wj3-6rq6-hrw7",
"modified": "2023-08-05T21:30:19Z",
"published": "2023-08-05T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4171"
},
{
"type": "WEB",
"url": "https://github.com/nagenanhai/cve/blob/main/duqu.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.236206"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.236206"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-56G6-5G9J-WJC3
Vulnerability from github – Published: 2025-04-26 15:30 – Updated: 2025-04-26 15:30In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954.
{
"affected": [],
"aliases": [
"CVE-2025-46646"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-26T15:15:45Z",
"severity": "MODERATE"
},
"details": "In Artifex Ghostscript before 10.05.0, decode_utf8 in base/gp_utf8.c mishandles overlong UTF-8 encoding. NOTE: this issue exists because of an incomplete fix for CVE-2024-46954.",
"id": "GHSA-56g6-5g9j-wjc3",
"modified": "2025-04-26T15:30:31Z",
"published": "2025-04-26T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46646"
},
{
"type": "WEB",
"url": "https://bugs.ghostscript.com/show_bug.cgi?id=708311"
},
{
"type": "WEB",
"url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f14ea81e6c3d2f51593f23cdf13c4679a18f1a3f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-56R4-VJ3R-H3VV
Vulnerability from github – Published: 2025-04-20 03:50 – Updated: 2025-04-28 15:31GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at /mailman/private/mailman (aka the private archive authentication endpoint) via the username parameter.
{
"affected": [],
"aliases": [
"CVE-2025-43919"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-20T01:15:45Z",
"severity": "MODERATE"
},
"details": "GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to read arbitrary files via ../ directory traversal at /mailman/private/mailman (aka the private archive authentication endpoint) via the username parameter.",
"id": "GHSA-56r4-vj3r-h3vv",
"modified": "2025-04-28T15:31:38Z",
"published": "2025-04-20T03:50:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43919"
},
{
"type": "WEB",
"url": "https://code.launchpad.net/~mailman-coders/mailman/2.1"
},
{
"type": "WEB",
"url": "https://github.com/0NYX-MY7H/CVE-2025-43919"
},
{
"type": "WEB",
"url": "https://github.com/cpanel/mailman2-python3"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2025/04/21/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5CGX-VHFP-6CF9
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-10-02 11:38Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.
Specific Go Packages Affected
sigs.k8s.io/secrets-store-csi-driver/controllers sigs.k8s.io/secrets-store-csi-driver/pkg/rotation sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "sigs.k8s.io/secrets-store-csi-driver"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.15"
},
{
"fixed": "0.0.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8568"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-22",
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T21:44:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a `SecretProviderClassPodStatus/Status` resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under `var/lib/kubelet/pods` that contain other Kubernetes Secrets.\n\n### Specific Go Packages Affected\nsigs.k8s.io/secrets-store-csi-driver/controllers\nsigs.k8s.io/secrets-store-csi-driver/pkg/rotation\nsigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store",
"id": "GHSA-5cgx-vhfp-6cf9",
"modified": "2023-10-02T11:38:19Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8568"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/378"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/371"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver/commit/c2cbb19e2eef16638fa0523383788a4bc22231fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes-sigs/secrets-store-csi-driver"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-secrets-store-csi-driver/c/Cb9cvymTzl4"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0629"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directory traversal in Kubernetes Secrets Store CSI Driver"
}
GHSA-5F64-P6CF-VVQG
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via
{
"affected": [],
"aliases": [
"CVE-2026-39813"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T16:16:45Z",
"severity": "CRITICAL"
},
"details": "A path traversal: \u0027../filedir\u0027 vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via \u003cinsert attack vector here\u003e",
"id": "GHSA-5f64-p6cf-vvqg",
"modified": "2026-04-14T18:30:36Z",
"published": "2026-04-14T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39813"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5H64-37WC-RJ27
Vulnerability from github – Published: 2025-05-15 18:31 – Updated: 2025-05-16 03:30In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory.
{
"affected": [],
"aliases": [
"CVE-2025-48050"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-15T16:15:34Z",
"severity": "HIGH"
},
"details": "In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory.",
"id": "GHSA-5h64-37wc-rj27",
"modified": "2025-05-16T03:30:33Z",
"published": "2025-05-15T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48050"
},
{
"type": "WEB",
"url": "https://github.com/cure53/DOMPurify/pull/1101"
},
{
"type": "WEB",
"url": "https://github.com/cure53/DOMPurify/commit/6bc6d60e49256f27a4022181b7d8a5b0721fd534"
},
{
"type": "WEB",
"url": "https://github.com/odaysec/advisory/blob/main/cure53/DOMPurify/writeup.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5Q32-895V-VF2F
Vulnerability from github – Published: 2024-03-08 15:30 – Updated: 2025-06-10 09:30A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256272. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-2318"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-08T13:15:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: \u0027../filedir\u0027. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256272. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-5q32-895v-vf2f",
"modified": "2025-06-10T09:30:30Z",
"published": "2024-03-08T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2318"
},
{
"type": "WEB",
"url": "https://gist.github.com/whiteman007/a3b25a7ddf38774329d72930e0cd841a"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.256272"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.256272"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.288530"
},
{
"type": "WEB",
"url": "https://www.zkteco.com/en/Security_Bulletinsibs/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5RX8-CHP2-FVXF
Vulnerability from github – Published: 2024-08-07 06:31 – Updated: 2024-08-07 06:31Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root.
{
"affected": [],
"aliases": [
"CVE-2024-37403"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-07T04:17:18Z",
"severity": "MODERATE"
},
"details": "Ivanti Docs@Work for Android, before 2.26.0 is affected by the \u0027Dirty Stream\u0027 vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information stored in the app root.",
"id": "GHSA-5rx8-chp2-fvxf",
"modified": "2024-08-07T06:31:10Z",
"published": "2024-08-07T06:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37403"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-CVE-2024-37403-Dirty-Stream-for-Ivanti-Docs-Work-for-Android"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-66JV-2XQF-9P8X
Vulnerability from github – Published: 2023-12-25 03:30 – Updated: 2023-12-25 03:30** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic was found in icret EasyImages 2.8.3. This vulnerability affects unknown code of the file app/hide.php. The manipulation of the argument key leads to path traversal: '../filedir'. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-248950 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2023-7098"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-25T02:15:44Z",
"severity": "LOW"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic was found in icret EasyImages 2.8.3. This vulnerability affects unknown code of the file app/hide.php. The manipulation of the argument key leads to path traversal: \u0027../filedir\u0027. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-248950 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-66jv-2xqf-9p8x",
"modified": "2023-12-25T03:30:27Z",
"published": "2023-12-25T03:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7098"
},
{
"type": "WEB",
"url": "https://note.zhaoj.in/share/MHnV2WLY9rxU"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.248950"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.248950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-66Q6-24VW-2G98
Vulnerability from github – Published: 2025-05-05 18:32 – Updated: 2025-10-22 00:33Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.
{
"affected": [],
"aliases": [
"CVE-2025-27920"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-05T16:15:50Z",
"severity": "CRITICAL"
},
"details": "Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.",
"id": "GHSA-66q6-24vw-2g98",
"modified": "2025-10-22T00:33:18Z",
"published": "2025-05-05T18:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27920"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27920"
},
{
"type": "WEB",
"url": "https://www.microsoft.com/en-us/security/blog/2025/05/12/marbled-dust-leverages-zero-day-in-output-messenger-for-regional-espionage"
},
{
"type": "WEB",
"url": "https://www.outputmessenger.com/cve-2025-27920"
},
{
"type": "WEB",
"url": "https://www.srimax.com/products-2/output-messenger"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.