Arbitrary file read using percent-encoded relative paths in FileMiddleware

Critical

tanner0101 published GHSA-vcvg-xgr8-p5gq

Sep 30, 2020

Package

Vapor (vapor)

Affected versions

4.0.0-rc.2.5 ... 4.29.3

Patched versions

>=4.29.4

Description

Impact

Attackers can access data at arbitrary filesystem paths on the same host as an application using FileMiddleware.

Patches

Version 4.29.4

Workarounds

Upgrade to 4.24.4 or later, or disable FileMiddleware.

References

Introduced in #2223
Fixed by #2500

For more information

If you have any questions or comments about this advisory:

Open an issue
Email us at security@vapor.codes