Vulnerability Report: GO-2024-3293

Affects: goyave.dev/goyave/v5
Published: Dec 13, 2024

Static file serving using router.Static and osfs.FS allows clients to access any file on the host file system using relative paths because the requested path is not sanitized and . and .. segments are accepted. The files will be returned as a response, provided the system user running the Go application has read access to the requested file. As a workaround, use fsutil.NewEmbed(embeddedFS) from the goyave.dev/goyave/v5/util/fsutil package to serve static content using Router.Static instead of &osfs.FS. Embedded file systems are rooted to the specified directory, making it impossible to navigate outside of the developers' intended directory.

Affected Packages

Path

Go Versions

Symbols
goyave.dev/goyave/v5

from v5.0.0 before v5.5.0

References

https://github.com/go-goyave/goyave/commit/5836bff3efaa8a37fbd58d077b93f03e93e05edd
https://github.com/golang/vulndb/issues/3293
https://vuln.go.dev/ID/GO-2024-3293.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL