SYM_JSTS_0050 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User input from HTTP requests is being passed directly to path.join or path.resolve when building file paths in Express applications. This can allow attackers to manipulate file paths and access or overwrite files outside the intended directory.
Impact
If exploited, an attacker could read, modify, or overwrite sensitive files on the server by crafting special input (like '../'). This can lead to data breaches, application compromise, or service disruption.