Vulnerability Report: GO-2022-0355

CVE-2022-21221, GHSA-fx95-883v-4q4h
Affects: github.com/valyala/fasthttp
Published: Jul 27, 2022
Modified: Jun 12, 2023

The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory. URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.

Affected Packages

Path

Versions

Symbols
github.com/valyala/fasthttp

before v1.34.0
196 affected symbols

Aliases

CVE-2022-21221
GHSA-fx95-883v-4q4h

References

https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1
https://github.com/valyala/fasthttp/issues/1226
https://github.com/valyala/fasthttp/releases/tag/v1.34.0
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866
https://vuln.go.dev/ID/GO-2022-0355.json

Credits

egovorukhin

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL