Miggo Logo
Miggo Vulnerability Database
CVE-2022-35920

CVE-2022-35920:
sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs

8.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-35920
GHSA ID
GHSA-8cw9-5hmv-77w6
EPSS Score
0.48974%
CWE
CWE-22
Published
8/6/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
sanicpip>= 22.0.0, < 22.6.122.6.1
sanicpip>= 21.0.0, < 21.12.221.12.2
sanicpip< 20.12.720.12.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how Sanic's static file handler processes URL paths. The _static_request_handler in routes.py initially checked for '../' in the raw URL path but did not properly handle URL-decoded paths containing '%2F' (encoded slashes). This allowed lateral directory traversal when the URL was unquoted. The patch in PR #2495 modified this handler to check the decoded URI for traversal patterns, confirming this as the vulnerable function. The file path and function name are evident from the commit diff analysis and the security advisory context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t ****ss to l*t*r*l *ir**tori*s w**n usin* `*pp.st*ti*` i* usin* *n*o*** `%**` URLs. P*r*nt *ir**tory tr*v*rs*l is not imp**t**. ### P*t***s - v**.**.* (LTS) - v**.**.* (LTS) - v**.*.* ### R***r*n**s *ttps://*it*u*.*om/s*ni*-or*/s*ni*/issu

Reasoning

T** vuln*r**ility st*ms *rom *ow S*ni*'s st*ti* *il* **n*l*r pro**ss*s URL p*t*s. T** _st*ti*_r*qu*st_**n*l*r in rout*s.py initi*lly ****k** *or '../' in t** r*w URL p*t* *ut *i* not prop*rly **n*l* URL-***o*** p*t*s *ont*inin* '%**' (*n*o*** sl*s**s