CVE-2022-21221
Path traversal in github.com/valyala/fasthttp
7.5
HIGH
CVSS 3.1
EPSS 0.57%
Description
The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory. URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.
How to fix CVE-2022-21221
To remediate CVE-2022-21221, upgrade the affected package to a fixed version below.
- —upgrade to 1.34.0 or later
- —upgrade to 1.34.0 or later
Is CVE-2022-21221 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.34.0
- from 0, < 1.34.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |