-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the directory traversal check in StaticFiles handling. The commit diff shows a critical change from os.path.commonprefix() to os.path.commonpath() in starlette/staticfiles.py. The original commonprefix approach failed to properly validate() path components, as demonstrated in the PoC where paths like '/static/../static1.txt' bypassed security checks. The lookup_path function is directly responsible for path validation in static file handling, making it the clear vulnerable function. Multiple sources (advisory, CWE-22 mapping, and commit analysis) confirm this root cause.
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| starlette | pip | >= 0.13.5, < 0.27.0 | 0.27.0 |
Ongoing coverage of React2Shell