Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User input from HTTP requests is being used directly to select files for FileResponse, without validation. This lets attackers specify any file path, potentially accessing files they shouldn’t be able to.
Impact#
An attacker could exploit this to read sensitive files from your server, such as configuration files, user data, or credentials, leading to data breaches or system compromise. This could expose confidential business or personal information and violate security or privacy policies.