Skip to main content

Relative Path Traversal


Severity High
Score 8.7/10


EverShop web application in versions prior to 1.0.0-rc.8 is missing input validation in the function 'unlinkSync' in 'deleteFile.js', leading to a Relative Path Traversal vulnerability that enables arbitrary file deletion. This vulnerability extends beyond path traversal since the endpoint "/api/files" allows "DELETE" requests which then allow for file deletion across the filesystem.

  • LOW
  • HIGH
  • NONE
  • HIGH
  • NONE
  • HIGH

CWE-23 - Relative Path Traversal

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Advisory Timeline

  • Published