Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being used directly as a file path in the open() function without validation or sanitization. This allows attackers to craft requests that access files outside the intended directory, leading to a path traversal vulnerability.
Impact#
If exploited, an attacker could read sensitive files on the server (such as configuration files, credentials, or source code), potentially leading to data breaches, system compromise, or further attacks against your application and infrastructure.