Property
Language
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

When extracting files from a zip archive, the code joins the archive’s file names directly with the target directory without validating the file paths. This allows zip entries with path traversal sequences (like ‘../’) to escape the intended extraction folder.

Property
Language
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

Using Go’s Clean or path.Clean to sanitize user-supplied file paths is unsafe, as these functions only normalize the path and do not prevent path traversal attacks. Attackers can still craft inputs to access files outside the intended directory.

Property
Language
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code reads files using user-supplied input to build file paths without proper validation. This allows attackers to manipulate the path and access files outside the intended directory, potentially exposing sensitive data.

Impact

If exploited, an attacker could read arbitrary files from the server’s filesystem, such as configuration files, credentials, or other private data. This can lead to information leaks, further attacks, or full system compromise.

Property
Language	java
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

The application uses user-supplied input to build file paths without proper validation, allowing attackers to manipulate the path (e.g., using ‘../’) and access files outside the intended directory. This can occur when handling file operations based on data from HTTP requests.

Property
Language	java
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The code constructs file paths using values directly from HTTP path parameters without proper validation. This allows attackers to manipulate the path (e.g., using ‘../’) to access files outside the intended directory.

Impact

An attacker could exploit this to read, modify, or delete sensitive files on the server that should not be accessible, potentially exposing confidential data or disrupting application functionality.

Property
Language
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

User input from HTTP requests is being passed directly to path.join or path.resolve when building file paths in Express applications. This can allow attackers to manipulate file paths and access or overwrite files outside the intended directory.

Property
Language
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	High

Description

The code uses user-provided input as a file path with Node.js ‘fs’ functions without proper validation. This allows attackers to manipulate file paths, potentially accessing or modifying unintended files on the server.

Impact

If exploited, an attacker could read, overwrite, or delete sensitive files outside the intended directory, leading to data breaches, loss of critical information, or system compromise. This can expose confidential data and disrupt application functionality.

Property
Language
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	High

Description

User-provided input is being passed directly into path.join or path.resolve functions without proper validation. This can let attackers construct file paths that access files or directories outside the intended location.

Impact

If exploited, an attacker could read, modify, or delete sensitive files on the server by manipulating file paths (e.g., using ‘../’). This could lead to data breaches, exposure of credentials, or compromise of the entire system.

Property
Language
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A05:2017 - Broken Access Control
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Deleting files using unlink() with file paths from user input is unsafe. Attackers could supply paths to files they shouldn’t have access to, leading to unauthorized file deletion.

Impact

If exploited, an attacker could delete critical system or application files, disrupt service, or remove data they aren’t authorized to manage. This can result in data loss, application downtime, or further security breaches.

Property
Language
Severity
CWE	CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

These functions can lead to Local File Inclusion (LFI) or Remote File Inclusion (RFI) if the data inside is user-controlled. Validate the data properly before passing it to these functions.