GHSA-459f-x8vq-xjjm

Suggest an improvement
Source
https://github.com/advisories/GHSA-459f-x8vq-xjjm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-459f-x8vq-xjjm/GHSA-459f-x8vq-xjjm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-459f-x8vq-xjjm
Aliases
Published
2025-12-08T22:18:00Z
Modified
2025-12-09T19:36:56.381097Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Static Web Server vulnerable to a symbolic link path traversal
Details

Summary

Symbolic links (symlinks) could be used to access files or directories outside the intended web root folder.

Details

SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing.

PoC

  • Serve a directory (web root) with SWS.
  • Create a symlink inside the web root that points to a file outside the web root. e.g. ln -s escape.txt $HOME/.bashrc
  • Open http://localhost/escape.txt in your browser.
  • The file content will be served.

Impact

Any web server that runs with elevated privileges (e.g., root/administrator) and handles user-supplied file uploads is primarily impacted.

Database specific 
{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-61"
    ],
    "github_reviewed_at": "2025-12-08T22:18:00Z",
    "nvd_published_at": "2025-12-09T16:18:24Z",
    "github_reviewed": true
}
References

Affected packages

crates.io / static-web-server

Package

Name
static-web-server
View open source insights on deps.dev
Purl
pkg:cargo/static-web-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.40.1

Database specific

last_known_affected_version_range

"<= 2.40.0"