Common Weakness Enumeration

CWE-35

Allowed

Path Traversal: '.../...//'

Abstraction: Variant · Status: Incomplete

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

334 vulnerabilities reference this CWE, most recent first.

GHSA-FG59-J242-RCJ9

Vulnerability from github – Published: 2024-07-01 18:32 – Updated: 2024-07-01 18:32
VLAI
Details

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.",
  "id": "GHSA-fg59-j242-rcj9",
  "modified": "2024-07-01T18:32:41Z",
  "published": "2024-07-01T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36991"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2024-0711"
    },
    {
      "type": "WEB",
      "url": "https://research.splunk.com/application/e7c2b064-524e-4d65-8002-efce808567aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FM87-46VV-JQRR

Vulnerability from github – Published: 2018-09-18 13:45 – Updated: 2023-01-31 01:40
VLAI
Summary
Path Traversal in html-pages
Details

Versions of html-pages before 2.1.0 are vulnerable to path traversal.

Recommendation

Update to version 2.1.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "html-pages"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-3744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:34:53Z",
    "nvd_published_at": "2018-05-29T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Versions of `html-pages` before 2.1.0 are vulnerable to path traversal.\n\n\n## Recommendation\n\nUpdate to version 2.1.0 or later.",
  "id": "GHSA-fm87-46vv-jqrr",
  "modified": "2023-01-31T01:40:06Z",
  "published": "2018-09-18T13:45:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3744"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danielcardoso/html-pages/issues/2"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/306607"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fm87-46vv-jqrr"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/665"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Path Traversal in html-pages"
}

GHSA-FMMX-7C8X-CQV9

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-11 15:30
VLAI
Details

Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T17:15:48Z",
    "severity": "HIGH"
  },
  "details": "Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix.",
  "id": "GHSA-fmmx-7c8x-cqv9",
  "modified": "2024-07-11T15:30:44Z",
  "published": "2024-07-09T18:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39171"
    },
    {
      "type": "WEB",
      "url": "https://github.com/751897386/PHPVibe_vulnerability_Directory-Traversal"
    },
    {
      "type": "WEB",
      "url": "http://phpvibe.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FP27-QFPM-95W8

Vulnerability from github – Published: 2023-10-16 09:30 – Updated: 2024-04-04 08:39
VLAI
Details

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-16T07:15:08Z",
    "severity": "HIGH"
  },
  "details": "Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. \n",
  "id": "GHSA-fp27-qfpm-95w8",
  "modified": "2024-04-04T08:39:25Z",
  "published": "2023-10-16T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21415"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/58/0b/36/cve-2023-21415pdf-en-US-412759.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/b6/55/e2/cve-2023-21415pdf-en-US-416245.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPX7-Q8WV-4MJ3

Vulnerability from github – Published: 2025-05-16 18:31 – Updated: 2026-04-28 21:35
VLAI
Details

Path Traversal vulnerability in WHMPress WHMpress allows Relative Path Traversal. This issue affects WHMpress: from 6.2 through revision.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-16T16:15:40Z",
    "severity": "HIGH"
  },
  "details": "Path Traversal vulnerability in WHMPress WHMpress allows Relative Path Traversal. This issue affects WHMpress: from 6.2 through revision.",
  "id": "GHSA-fpx7-q8wv-4mj3",
  "modified": "2026-04-28T21:35:36Z",
  "published": "2025-05-16T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39492"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/whmpress/vulnerability/wordpress-whmpress-plugin-6-2-revision-9-local-file-inclusion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FVM8-PGM7-CG8J

Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2024-04-09 21:32
VLAI
Details

The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary zip files on the server, which can contain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T19:15:35Z",
    "severity": "MODERATE"
  },
  "details": "The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary zip files on the server, which can contain sensitive information.",
  "id": "GHSA-fvm8-pgm7-cg8j",
  "modified": "2024-04-09T21:32:00Z",
  "published": "2024-04-09T21:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2654"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wp-file-manager/trunk/file_folder_manager.php#L1353"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3062387/wp-file-manager/trunk?contextall=1\u0026old=3051451\u0026old_path=%2Fwp-file-manager%2Ftrunk"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ca98fbc6-8cfa-4997-8a46-344afb75a97e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G385-HXMR-GHGC

Vulnerability from github – Published: 2024-09-10 06:30 – Updated: 2024-09-10 06:30
VLAI
Details

Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T05:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Marinus Pfund, member of the AXIS OS Bug Bounty Program, \nhas found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. \nAxis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.",
  "id": "GHSA-g385-hxmr-ghgc",
  "modified": "2024-09-10T06:30:48Z",
  "published": "2024-09-10T06:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0067"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/c7/d0/91/cve-2024-0067-en-US-448994.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G4W8-7722-55PW

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-04-01 18:36
VLAI
Details

Path Traversal vulnerability in Stefan Keller WooCommerce Payment Gateway for Saferpay allows Path Traversal. This issue affects WooCommerce Payment Gateway for Saferpay: from n/a through 0.4.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T17:15:37Z",
    "severity": "HIGH"
  },
  "details": "Path Traversal vulnerability in Stefan Keller WooCommerce Payment Gateway for Saferpay allows Path Traversal. This issue affects WooCommerce Payment Gateway for Saferpay: from n/a through 0.4.9.",
  "id": "GHSA-g4w8-7722-55pw",
  "modified": "2026-04-01T18:36:07Z",
  "published": "2025-09-05T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48317"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/woocommerce-payment-gateway-for-saferpay/vulnerability/wordpress-woocommerce-payment-gateway-for-saferpay-plugin-0-4-9-path-traversal-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G54F-66MW-HV66

Vulnerability from github – Published: 2024-09-26 18:16 – Updated: 2024-09-26 21:11
VLAI
Summary
Agnai vulnerable to Relative Path Traversal in Image Upload
Details

Summary

A vulnerability has been discovered in Agnai that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.

This does not affect:

  • agnai.chat
  • installations using S3-compatible storage
  • self-hosting that is not publicly exposed

CWE-35: Path Traversal

https://cwe.mitre.org/data/definitions/35.html

CVSS4.0 - 2.3 Low

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Details

This is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the editCharacter handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:

POST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1

The path traversal character sequence makes it’s way into the id variable which is then string interpolated into filename.

export async function entityUpload(kind: string, id: string, attachment?: Attachment) {
  if (!attachment) return
  const filename = `${kind}-${id}`
  return upload(attachment, filename)
}

https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55

No path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.

Impact

This vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.

Credit

Security research in collaboration with Analyst Danyang Liu (noe223) @noe233

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "agnai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.330"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-26T18:16:13Z",
    "nvd_published_at": "2024-09-26T18:15:10Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nA vulnerability has been discovered in **Agnai** that permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement.\n\nThis does not affect:\n\n- agnai.chat\n- installations using S3-compatible storage\n- self-hosting that is not publicly exposed\n\n### CWE-35: Path Traversal\n\nhttps://cwe.mitre.org/data/definitions/35.html\n\n### CVSS4.0 - 2.3 Low\n\nCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\n\n### Details\n\nThis is a path traversal vulnerability. An attacker can exploit this vulnerability by sending a specially crafted request to the `editCharacter` handler https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:\n\n```tsx\nPOST /api/character/28cbe508-2fa9-4890-886e-61d73e22006c%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%70%70%2f%64%69%73%74%2f%64%61%6e%79%61%6e%67 HTTP/1.1\n```\n\nThe path traversal character sequence makes it\u2019s way into the `id` variable which is then string interpolated into `filename`. \n\n```jsx\nexport async function entityUpload(kind: string, id: string, attachment?: Attachment) {\n  if (!attachment) return\n  const filename = `${kind}-${id}`\n  return upload(attachment, filename)\n}\n```\n\nhttps://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55\n\nNo path normalization is conducted nor checked, so attackers can freely manipulate the path which the file is uploaded to.\n\n### Impact\n\nThis vulnerability is classified as a path traversal vulnerability. Attackers can upload image files to arbitrary locations, potentially overwriting critical system image files.\n\n### Credit\nSecurity research in collaboration with Analyst [Danyang Liu (noe223)](https://github.com/noe233) @noe233",
  "id": "GHSA-g54f-66mw-hv66",
  "modified": "2024-09-26T21:11:07Z",
  "published": "2024-09-26T18:16:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agnaistic/agnai/security/advisories/GHSA-g54f-66mw-hv66"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47171"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agnaistic/agnai"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/character.ts#L140:"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agnaistic/agnai/blob/75abbd5b0f5e48ddecc805365cf1574d05ee1ce5/srv/api/upload.ts#L55"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Agnai vulnerable to Relative Path Traversal in Image Upload"
}

GHSA-G5HG-47XM-JFG5

Vulnerability from github – Published: 2025-06-04 12:30 – Updated: 2025-06-04 12:30
VLAI
Details

Path Traversal vulnerability in WF Steuerungstechnik GmbH airleader MASTER allows Retrieve Embedded Sensitive Data.This issue affects airleader MASTER: 3.0046.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-35"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-04T12:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "Path Traversal vulnerability in WF Steuerungstechnik GmbH airleader MASTER allows Retrieve Embedded Sensitive Data.This issue affects airleader MASTER: 3.0046.",
  "id": "GHSA-g5hg-47xm-jfg5",
  "modified": "2025-06-04T12:30:36Z",
  "published": "2025-06-04T12:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/migros/migros-security-advisories/blob/main/advisories/msec-2025-004_wf-seuerungstechnik-gmbh_airleader-master_path-traversal.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, the ".../...//" manipulation is useful for bypassing some path traversal protection schemes. If "../" sequences are removed from the ".../...//" string in a sequential fashion (as some regular expression engines and other algorithms operate) the string can collapse into the unsafe "../" value (CWE-182). Removing the first "../" yields "....//" and the second removal yields "../".
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.