GHSA-f6pr-83pg-ghh6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f6pr-83pg-ghh6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f6pr-83pg-ghh6/GHSA-f6pr-83pg-ghh6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f6pr-83pg-ghh6
- Aliases
-
- CVE-2026-42351
- Published
- 2026-04-29T22:18:02Z
- Modified
- 2026-05-13T13:52:29.173724Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider
- Details
-
Impact
A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with
..values, along with a resource of typestac-collectiondefined in configuration.Patches
The issue has been patched in master branch and made available as part of the 0.23.3 release.
The commit/fix can be found in bf25b8695edbdd5476eeffc102b633d1d3e45f52.
Workarounds
Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
- Database specific
{ "github_reviewed_at": "2026-04-29T22:18:02Z", "github_reviewed": true, "cwe_ids": [ "CWE-22" ], "nvd_published_at": "2026-05-08T23:16:38Z", "severity": "HIGH" }- References
-
- https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6
- https://nvd.nist.gov/vuln/detail/CVE-2026-42351
- https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52
- https://github.com/geopython/pygeoapi
- https://github.com/geopython/pygeoapi/releases/tag/0.23.3
Affected packages
PyPI / pygeoapi
Package
- Name
- pygeoapi
- View open source insights on deps.dev
- Purl
- pkg:pypi/pygeoapi