Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User-provided input is being passed directly into path.join or path.resolve functions without proper validation. This can let attackers construct file paths that access files or directories outside the intended location.
Impact#
If exploited, an attacker could read, modify, or delete sensitive files on the server by manipulating file paths (e.g., using ‘../’). This could lead to data breaches, exposure of credentials, or compromise of the entire system.