Common Weakness Enumeration

CWE-29

Allowed

Path Traversal: '\..\filename'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

127 vulnerabilities reference this CWE, most recent first.

GHSA-Q97Q-7J3C-MX9J

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32
VLAI
Details

An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json extension and, except for the first line, every other line must contain commas. This vulnerability allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:10Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json extension and, except for the first line, every other line must contain commas. This vulnerability allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials.",
  "id": "GHSA-q97q-7j3c-mx9j",
  "modified": "2024-10-29T15:32:05Z",
  "published": "2024-10-29T15:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7962"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gaizhenbiao/chuanhuchatgpt/commit/2836fd1db3efcd5ede63c0e7fbbdf677730dbb51"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/83f0a8e1-490c-49e7-b334-02125ee0f1b1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QFJF-662J-2XXG

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-06-06 21:30
VLAI
Details

A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the @router.post("/install_extension") route handler. The vulnerability arises due to improper handling of the name parameter in the ExtensionBuilder().build_extension() method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious name parameter that causes the server to load and execute a __init__.py file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T19:16:02Z",
    "severity": "CRITICAL"
  },
  "details": "A remote code execution (RCE) vulnerability exists in the \u0027/install_extension\u0027 endpoint of the parisneo/lollms-webui application, specifically within the `@router.post(\"/install_extension\")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious `name` parameter that causes the server to load and execute a `__init__.py` file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode.",
  "id": "GHSA-qfjf-662j-2xxg",
  "modified": "2024-06-06T21:30:37Z",
  "published": "2024-06-06T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4320"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QG8P-32GR-GH6X

Vulnerability from github – Published: 2023-12-20 06:30 – Updated: 2024-01-02 15:14
VLAI
Summary
MLflow Local File Disclosure Vulnerability
Details

This vulnerability enables malicious users to read sensitive files on the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6977"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-20T20:35:06Z",
    "nvd_published_at": "2023-12-20T06:15:45Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability enables malicious users to read sensitive files on the server.",
  "id": "GHSA-qg8p-32gr-gh6x",
  "modified": "2024-01-02T15:14:10Z",
  "published": "2023-12-20T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6977"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/4bd7f27c810ba7487d53ed5ef1038fca0f8dc28c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MLflow Local File Disclosure Vulnerability"
}

GHSA-QR8V-2MXV-XRJ9

Vulnerability from github – Published: 2023-11-16 18:30 – Updated: 2023-11-16 18:30
VLAI
Details

An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-16T16:15:35Z",
    "severity": "HIGH"
  },
  "details": "An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter.",
  "id": "GHSA-qr8v-2mxv-xrj9",
  "modified": "2023-11-16T18:30:31Z",
  "published": "2023-11-16T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6023"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/644ab868-db6d-4685-ab35-1a897632d2ca"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QWW8-25FX-J9HQ

Vulnerability from github – Published: 2025-02-01 06:31 – Updated: 2025-02-01 06:31
VLAI
Details

Dell PowerProtect DD versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.20 contain a path traversal vulnerability. A local low privileged could potentially exploit this vulnerability to gain unauthorized overwrite of OS files stored on the server filesystem. Exploitation could lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-01T04:15:31Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerProtect DD versions prior to DDOS 8.3.0.0, 7.10.1.50, and 7.13.1.20 contain a path traversal vulnerability. A local low privileged could potentially exploit this vulnerability to gain unauthorized overwrite of OS files stored on the server filesystem. Exploitation could lead to denial of service.",
  "id": "GHSA-qww8-25fx-j9hq",
  "modified": "2025-02-01T06:31:00Z",
  "published": "2025-02-01T06:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51534"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000279157/dsa-2025-022-security-update-for-dell-powerprotect-dd-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFQQ-WQ6W-72JM

Vulnerability from github – Published: 2024-05-16 09:33 – Updated: 2025-04-08 22:00
VLAI
Summary
MLflow has a Local File Read/Path Traversal bypass
Details

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.2"
            },
            {
              "fixed": "2.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-3848"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-29"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-16T17:47:00Z",
    "nvd_published_at": "2024-05-16T09:15:14Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application\u0027s handling of artifact URLs, where a \u0027#\u0027 character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.",
  "id": "GHSA-rfqq-wq6w-72jm",
  "modified": "2025-04-08T22:00:26Z",
  "published": "2024-05-16T09:33:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3848"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/f8d51e21523238280ebcfdb378612afd7844eca8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2024-244.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/8d5aadaa-522f-4839-b41b-d7da362dd610"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MLflow has a Local File Read/Path Traversal bypass"
}

GHSA-V7VR-XFPJ-4F3M

Vulnerability from github – Published: 2026-02-02 12:31 – Updated: 2026-02-02 12:31
VLAI
Details

A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post("/reinstall_extension") route. This vulnerability allows attackers to inject a malicious name parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of data.name directly with lollmsElfServer.lollms_paths.extensions_zoo_path and its use as an argument for ExtensionBuilder().build_extension(). The server's handling of the __init__.py file in arbitrary locations, facilitated by importlib.machinery.SourceFileLoader, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to 0.0.0.0 or in headless mode. No user interaction is required for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-02T11:15:52Z",
    "severity": "CRITICAL"
  },
  "details": "A Local File Inclusion (LFI) vulnerability exists in the \u0027/reinstall_extension\u0027 endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post(\"/reinstall_extension\")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server\u0027s handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation.",
  "id": "GHSA-v7vr-xfpj-4f3m",
  "modified": "2026-02-02T12:31:14Z",
  "published": "2026-02-02T12:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/cb9867b4-28e3-4406-9031-f66fc28553d4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V83H-65MX-QFF4

Vulnerability from github – Published: 2023-11-14 18:30 – Updated: 2023-11-14 18:30
VLAI
Details

Path Traversal: '..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "Path Traversal: \u0027\\..\\filename\u0027 in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.",
  "id": "GHSA-v83h-65mx-qff4",
  "modified": "2023-11-14T18:30:27Z",
  "published": "2023-11-14T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6130"
    },
    {
      "type": "WEB",
      "url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/22a27be9-f016-4daf-9887-c77eb3e1dc74"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9PH-8HF4-HGRX

Vulnerability from github – Published: 2024-06-12 12:30 – Updated: 2024-06-12 12:30
VLAI
Details

A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the normalizePath() function, intended to defend against path traversal attacks. This vulnerability enables the manager to read, delete, or overwrite the 'anythingllm.db' database file and other files stored in the 'storage' directory, such as internal communication keys and .env secrets. Exploitation of this vulnerability could lead to application compromise, denial of service (DoS) attacks, and unauthorized admin account takeover. The issue stems from improper validation of user-supplied input in the process of setting a custom logo for the app, which can be manipulated to achieve arbitrary file read, deletion, or overwrite, and to execute a DoS attack by deleting critical files required for the application's operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-12T12:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the `normalizePath()` function, intended to defend against path traversal attacks. This vulnerability enables the manager to read, delete, or overwrite the \u0027anythingllm.db\u0027 database file and other files stored in the \u0027storage\u0027 directory, such as internal communication keys and .env secrets. Exploitation of this vulnerability could lead to application compromise, denial of service (DoS) attacks, and unauthorized admin account takeover. The issue stems from improper validation of user-supplied input in the process of setting a custom logo for the app, which can be manipulated to achieve arbitrary file read, deletion, or overwrite, and to execute a DoS attack by deleting critical files required for the application\u0027s operation.",
  "id": "GHSA-v9ph-8hf4-hgrx",
  "modified": "2024-06-12T12:30:41Z",
  "published": "2024-06-12T12:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mintplex-labs/anything-llm/commit/e208074ef4c240fe03e4147ab097ec3b52b97619"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/38f282cb-7226-435e-9832-2d4a102dad4b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VHCX-3PQ2-4FVC

Vulnerability from github – Published: 2026-03-30 03:30 – Updated: 2026-04-01 00:08
VLAI
Summary
MLFlow path traversal vulnerability
Details

A path traversal vulnerability exists in the extract_archive_to_dir function within the mlflow/pyfunc/dbconnect_artifact_cache.py file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.0rc0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-15036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-29"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T00:08:57Z",
    "nvd_published_at": "2026-03-30T02:16:14Z",
    "severity": "CRITICAL"
  },
  "details": "A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.",
  "id": "GHSA-vhcx-3pq2-4fvc",
  "modified": "2026-04-01T00:08:57Z",
  "published": "2026-03-30T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MLFlow path traversal vulnerability"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.