Skip to main content

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')


Severity Low
Score 3.7/10


The package and versions v0.0.0-20160816185256-f0e11a3ccc7e through v0.0.0-20220518034528-6f7dac969898 are vulnerable to Path Traversal Vulnerability. The param "httpTokenCacheKey" uses "path.Base" to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, "path.Base" acts differently to "filepath.Base", since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. ".well-known/acme-challenge/..\..\asd" becomes "..\..\asd". The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

  • HIGH
  • NONE
  • NONE
  • NONE
  • LOW
  • NONE

CWE-22 - Path Traversal

Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.

Advisory Timeline

  • Published