Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code uses user-provided input as a file path with Node.js ‘fs’ functions without proper validation. This allows attackers to manipulate file paths, potentially accessing or modifying unintended files on the server.
Impact#
If exploited, an attacker could read, overwrite, or delete sensitive files outside the intended directory, leading to data breaches, loss of critical information, or system compromise. This can expose confidential data and disrupt application functionality.