GHSA-hxf2-gm22-7vcm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hxf2-gm22-7vcm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hxf2-gm22-7vcm/GHSA-hxf2-gm22-7vcm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hxf2-gm22-7vcm
- Aliases
-
- CVE-2026-35583
- Published
- 2026-04-08T00:12:55Z
- Modified
- 2026-04-08T00:21:35.490372Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Emissary has a Path Traversal via Blacklist Bypass in Configuration API
- Details
-
Summary
The configuration API endpoint (
/api/configuration/{name}) validated configuration names using a blacklist approach that checked for\,/,.., and trailing.. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory.Details
Vulnerable code —
Configs.java(line 126)protected static String validate(String config) { if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/") || config.contains("..") || config.endsWith(".")) { throw new IllegalArgumentException("Invalid config name: " + config); } return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING); }Weakness
The blacklist blocked literal
\,/,.., and trailing.but could potentially miss:- URL-encoded variants (
%2e%2e%2f) if decoded after validation - Double-encoded sequences (
%252e%252e%252f) - Unicode normalization bypasses
- The approach relies on string matching rather than canonical path resolution
Impact
- Potential read access to configuration files outside the intended config directory
- Information disclosure of sensitive configuration values
Remediation
Fixed in PR #1292, merged into release 8.39.0.
The blacklist was replaced with an allowlist regex that only permits characters matching
^[a-zA-Z0-9._-]+$:protected static final Pattern VALID_CONFIG_NAME = Pattern.compile("^[a-zA-Z0-9._-]+$"); protected static String validate(String config) { if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains("..") || config.endsWith(".")) { throw new IllegalArgumentException("Invalid config name: " + config); } return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING); }This ensures that any character outside the allowed set — including encoded slashes, percent signs, and Unicode sequences — is rejected before the config name reaches the filesystem.
Tests were added to verify that URL-encoded (
%2e%2e%2f), double-encoded (%252e%252e%252f), and Unicode (U+002F) traversal attempts are blocked.Workarounds
If upgrading is not immediately possible, deploy a reverse proxy or WAF rule that rejects requests to
/api/configuration/containing encoded path traversal sequences.References
- PR #1292 — validate config name with an allowlist
- Original report: GHSA-wjqm-p579-x3ww
- URL-encoded variants (
- Database specific
{ "nvd_published_at": "2026-04-07T17:16:33Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-22" ], "github_reviewed_at": "2026-04-08T00:12:55Z" }- References
Affected packages
Maven / gov.nsa.emissary:emissary
Package
- Name
- gov.nsa.emissary:emissary
- View open source insights on deps.dev
- Purl
- pkg:maven/gov.nsa.emissary/emissary
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.39.0