N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-6xv5-86q9-7xr8

EPSS Score

CWE

Published

9/7/2023

Updated

9/7/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-6xv5-86q9-7xr8

GHSA-6xv5-86q9-7xr8: SecureJoin: on windows, paths outside of the rootfs could be inadvertently produced

Impact

For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations (in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path) to result in generated paths that were outside of the provided rootfs.

It is unclear to what extent this has a practical impact on real users, but given the possible severity of the issue we have released an emergency patch release that resolves this issue.

Thanks to @pjbgf for discovering, debugging, and fixing this issue (as well as writing some tests for it).

Patches

c121231e1276e11049547bee5ce68d5a2cfe2d9b is the patch fixing this issue. v0.2.4 contains the fix.

Workarounds

Users could use filepath.FromSlash() on all unsafe paths before passing them to filepath-securejoin.

References

See #9.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-6xv5-86q9-7xr8

EPSS Score

CWE

Published

9/7/2023

Updated

9/7/2023

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cyphar/filepath-securejoin	go	< 0.2.4	0.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of Windows volume names in path joining logic. The original implementation in SecureJoinVFS did not strip volume names from 'unsafePath' (via filepath.VolumeName), enabling scenarios where a malicious path like 'D:\malicious' combined with a rootfs 'C:\safe' could resolve outside the rootfs. The patch explicitly adds volume name stripping, confirming this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *or Win*ows us*rs o* `*it*u*.*om/*yp**r/*il*p*t*-s**ur*join`, until v*.*.* it w*s possi*l* *or **rt*in root*s *n* p*t* *om*in*tions (in p*rti*ul*r, w**r* * m*li*ious Unix-styl* `/`-s*p*r*t** uns*** p*t* w*s us** wit* * Win*ows-styl* root*s

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* Win*ows volum* n*m*s in p*t* joinin* lo*i*. T** ori*in*l impl*m*nt*tion in `S**ur*JoinV*S` *i* not strip volum* n*m*s *rom 'uns***P*t*' (vi* `*il*p*t*.Volum*N*m*`), *n**lin* s**n*rios w**r* * m*li*iou

N/A

Basic Information

Concerned about an active attack path?

GHSA-6xv5-86q9-7xr8: SecureJoin: on windows, paths outside of the rootfs could be inadvertently produced

Impact

Patches

Workarounds

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI