JLSEC-2026-612
- Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-612.md
- Import Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-612.json
- JSON Data
- https://api.osv.dev/v1/vulns/JLSEC-2026-612
- Aliases
-
- ANT-2026-VHDP7ANW
- Upstream
- Published
- 2026-06-23T12:59:32.708Z
- Modified
- 2026-06-23T17:30:14.031434803Z
- Summary
- Path traversal in the HTTP.jl static file server via separator/absolute path segments
- Details
-
Description
The static file server decoded the request path, split it on
/, and rejected only segments exactly equal to.or... Because URL-decoding ran before the/split, an encoded backslash (%5c), a Windows drive specifier (C:\...), or a UNC prefix (\\host\share) survived inside a single segment and passed validation. On Windows,joinpaththen honored\as a separator and treated drive/UNC segments as absolute, discarding the configured document root.Impact
A remote client could read files outside the served document root and, on Windows, trigger outbound SMB/NTLM authentication via UNC paths, by crafting encoded separator, drive, or UNC segments.
Patches
Fixed in HTTP.jl v2.4.0. A new platform-independent segment validator rejects any decoded segment that is
./.., contains a path separator (/or\), contains a colon (drive specifier / alternate data stream), or is absolute; unsafe segments are mapped to a 400 response. A defense-in-depth containment backstop additionally requires the normalized joined path to remain within the normalized root.Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.
- Database specific
{ "license": "CC-BY-4.0" }- References