CVE-2022-40082 — Path traversal in github.com/cloudwego/hertz

Description

Improper path sanitization on Windows permits path traversal attacks. Static file serving with the Static or StaticFS functions allows an attacker to access files from outside the filesystem root. This vulnerability does not affect non-Windows systems.

How to fix CVE-2022-40082

To remediate CVE-2022-40082, upgrade the affected package to a fixed version below.

—upgrade to 0.3.1 or later
—upgrade to 0.3.1 or later

Is CVE-2022-40082 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.3.1
from 0, < 0.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-40082
PATCHgithub.com/cloudwego/hertz
WEBgithub.com/cloudwego/hertz/issues/228
WEBgithub.com/cloudwego/hertz/pull/229
WEBpkg.go.dev/vuln/GO-2022-1027