GO-2022-0355
- Source
- https://pkg.go.dev/vuln/GO-2022-0355
- Import Source
- https://vuln.go.dev/ID/GO-2022-0355.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2022-0355
- Aliases
- Published
- 2022-07-27T20:26:59Z
- Modified
- 2025-01-14T10:27:00.074094Z
- Summary
- Path traversal in github.com/valyala/fasthttp
- Details
-
The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory.
URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0355" }- References
- Credits
-
-
- egovorukhin
-
Affected packages
Go / github.com/valyala/fasthttp
Package
- Name
- github.com/valyala/fasthttp
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/valyala/fasthttp
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.34.0
Ecosystem specific
{
"imports": [
{
"path": "github.com/valyala/fasthttp",
"symbols": [
"AppendBrotliBytes",
"AppendBrotliBytesLevel",
"AppendDeflateBytes",
"AppendDeflateBytesLevel",
"AppendGunzipBytes",
"AppendGzipBytes",
"AppendGzipBytesLevel",
"AppendHTTPDate",
"AppendInflateBytes",
"AppendUnbrotliBytes",
"Args.WriteTo",
"Client.CloseIdleConnections",
"Client.Do",
"Client.DoDeadline",
"Client.DoRedirects",
"Client.DoTimeout",
"Client.Get",
"Client.GetDeadline",
"Client.GetTimeout",
"Client.Post",
"Cookie.AppendBytes",
"Cookie.Cookie",
"Cookie.Parse",
"Cookie.ParseBytes",
"Cookie.String",
"Cookie.WriteTo",
"Dial",
"DialDualStack",
"DialDualStackTimeout",
"DialTimeout",
"Do",
"DoDeadline",
"DoRedirects",
"DoTimeout",
"FS.NewRequestHandler",
"FSHandler",
"FileLastModified",
"GenerateTestCertificate",
"Get",
"GetDeadline",
"GetTimeout",
"HostClient.CloseIdleConnections",
"HostClient.Do",
"HostClient.DoDeadline",
"HostClient.DoRedirects",
"HostClient.DoTimeout",
"HostClient.Get",
"HostClient.GetDeadline",
"HostClient.GetTimeout",
"HostClient.Post",
"LBClient.Do",
"LBClient.DoDeadline",
"LBClient.DoTimeout",
"ListenAndServe",
"ListenAndServeTLS",
"ListenAndServeTLSEmbed",
"ListenAndServeUNIX",
"NewStreamReader",
"ParseByteRange",
"ParseHTTPDate",
"ParseIPv4",
"PipelineClient.Do",
"PipelineClient.DoDeadline",
"PipelineClient.DoTimeout",
"PipelineClient.PendingRequests",
"Post",
"Request.Body",
"Request.BodyGunzip",
"Request.BodyInflate",
"Request.BodyUnbrotli",
"Request.BodyWriteTo",
"Request.ContinueReadBody",
"Request.ContinueReadBodyStream",
"Request.Host",
"Request.MultipartForm",
"Request.PostArgs",
"Request.Read",
"Request.ReadBody",
"Request.ReadLimitBody",
"Request.SetBodyStreamWriter",
"Request.SetHost",
"Request.SetHostBytes",
"Request.String",
"Request.SwapBody",
"Request.URI",
"Request.Write",
"Request.WriteTo",
"RequestCtx.FormFile",
"RequestCtx.FormValue",
"RequestCtx.Host",
"RequestCtx.IfModifiedSince",
"RequestCtx.MultipartForm",
"RequestCtx.Path",
"RequestCtx.PostArgs",
"RequestCtx.PostBody",
"RequestCtx.QueryArgs",
"RequestCtx.Redirect",
"RequestCtx.RedirectBytes",
"RequestCtx.SendFile",
"RequestCtx.SendFileBytes",
"RequestCtx.SetBodyStreamWriter",
"RequestCtx.String",
"RequestCtx.URI",
"RequestHeader.Add",
"RequestHeader.AddBytesK",
"RequestHeader.AddBytesKV",
"RequestHeader.AddBytesV",
"RequestHeader.Read",
"RequestHeader.ReadTrailer",
"RequestHeader.Set",
"RequestHeader.SetByteRange",
"RequestHeader.SetBytesK",
"RequestHeader.SetBytesKV",
"RequestHeader.SetBytesV",
"RequestHeader.SetCanonical",
"RequestHeader.SetReferer",
"RequestHeader.SetRefererBytes",
"RequestHeader.Write",
"Response.Body",
"Response.BodyGunzip",
"Response.BodyInflate",
"Response.BodyUnbrotli",
"Response.BodyWriteTo",
"Response.Read",
"Response.ReadBody",
"Response.ReadLimitBody",
"Response.SendFile",
"Response.SetBodyStreamWriter",
"Response.String",
"Response.SwapBody",
"Response.Write",
"Response.WriteDeflate",
"Response.WriteDeflateLevel",
"Response.WriteGzip",
"Response.WriteGzipLevel",
"Response.WriteTo",
"ResponseHeader.Add",
"ResponseHeader.AddBytesK",
"ResponseHeader.AddBytesKV",
"ResponseHeader.AddBytesV",
"ResponseHeader.AppendBytes",
"ResponseHeader.Cookie",
"ResponseHeader.DelClientCookie",
"ResponseHeader.DelClientCookieBytes",
"ResponseHeader.Header",
"ResponseHeader.Read",
"ResponseHeader.ReadTrailer",
"ResponseHeader.Set",
"ResponseHeader.SetBytesK",
"ResponseHeader.SetBytesKV",
"ResponseHeader.SetBytesV",
"ResponseHeader.SetCanonical",
"ResponseHeader.SetContentRange",
"ResponseHeader.SetCookie",
"ResponseHeader.SetLastModified",
"ResponseHeader.String",
"ResponseHeader.Write",
"ResponseHeader.WriteTo",
"SaveMultipartFile",
"Serve",
"ServeConn",
"ServeFile",
"ServeFileBytes",
"ServeFileBytesUncompressed",
"ServeFileUncompressed",
"ServeTLS",
"ServeTLSEmbed",
"Server.AppendCert",
"Server.AppendCertEmbed",
"Server.ListenAndServe",
"Server.ListenAndServeTLS",
"Server.ListenAndServeTLSEmbed",
"Server.ListenAndServeUNIX",
"Server.Serve",
"Server.ServeConn",
"Server.ServeTLS",
"Server.ServeTLSEmbed",
"Server.Shutdown",
"TCPDialer.Dial",
"TCPDialer.DialDualStack",
"TCPDialer.DialDualStackTimeout",
"TCPDialer.DialTimeout",
"URI.Parse",
"URI.Update",
"URI.UpdateBytes",
"URI.WriteTo",
"WriteBrotli",
"WriteBrotliLevel",
"WriteDeflate",
"WriteDeflateLevel",
"WriteGunzip",
"WriteGzip",
"WriteGzipLevel",
"WriteInflate",
"WriteMultipartForm",
"WriteUnbrotli",
"bigFileReader.Read",
"bigFileReader.WriteTo",
"ctxLogger.Printf",
"firstByteReader.Read",
"flushWriter.Write",
"fsFile.NewReader",
"fsSmallFileReader.WriteTo",
"hijackConn.Close",
"hijackConn.Read",
"perIPConn.Close",
"perIPConnCounter.Unregister",
"pipelineConnClient.Do",
"pipelineConnClient.DoDeadline",
"pipelineConnClient.PendingRequests",
"requestStream.Read",
"statsWriter.Write",
"tcpKeepaliveListener.Accept",
"workerPool.Serve"
]
}
]
}