-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from two key issues: 1) In Smarty_Security::_checkDir, directory validation used unnormalized paths, allowing traversal before realpath resolution. 2) Smarty::_realpath's handling of relative paths and directory separators was insufficient. The patch modified both functions to enforce proper path normalization (using _realpath earlier in _checkDir) and tightened separator handling. The GHSA advisory specifically references bypass via 'file:./../', which these functions' pre-patch behavior enabled by failing to collapse relative path components before security checks.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| smarty/smarty | composer | < 3.1.33 | 3.1.33 |