{
  "schema_version": "1.3.1",
  "id": "GO-2022-0355",
  "modified": "0001-01-01T00:00:00Z",
  "published": "2022-07-27T20:26:59Z",
  "aliases": [
    "CVE-2022-21221",
    "GHSA-fx95-883v-4q4h"
  ],
  "summary": "Path traversal in github.com/valyala/fasthttp",
  "details": "The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory.\n\nURL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.",
  "affected": [
    {
      "package": {
        "name": "github.com/valyala/fasthttp",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/valyala/fasthttp",
            "symbols": [
              "AppendBrotliBytes",
              "AppendBrotliBytesLevel",
              "AppendDeflateBytes",
              "AppendDeflateBytesLevel",
              "AppendGunzipBytes",
              "AppendGzipBytes",
              "AppendGzipBytesLevel",
              "AppendHTTPDate",
              "AppendInflateBytes",
              "AppendUnbrotliBytes",
              "Args.WriteTo",
              "Client.CloseIdleConnections",
              "Client.Do",
              "Client.DoDeadline",
              "Client.DoRedirects",
              "Client.DoTimeout",
              "Client.Get",
              "Client.GetDeadline",
              "Client.GetTimeout",
              "Client.Post",
              "Cookie.AppendBytes",
              "Cookie.Cookie",
              "Cookie.Parse",
              "Cookie.ParseBytes",
              "Cookie.String",
              "Cookie.WriteTo",
              "Dial",
              "DialDualStack",
              "DialDualStackTimeout",
              "DialTimeout",
              "Do",
              "DoDeadline",
              "DoRedirects",
              "DoTimeout",
              "FS.NewRequestHandler",
              "FSHandler",
              "FileLastModified",
              "GenerateTestCertificate",
              "Get",
              "GetDeadline",
              "GetTimeout",
              "HostClient.CloseIdleConnections",
              "HostClient.Do",
              "HostClient.DoDeadline",
              "HostClient.DoRedirects",
              "HostClient.DoTimeout",
              "HostClient.Get",
              "HostClient.GetDeadline",
              "HostClient.GetTimeout",
              "HostClient.Post",
              "LBClient.Do",
              "LBClient.DoDeadline",
              "LBClient.DoTimeout",
              "ListenAndServe",
              "ListenAndServeTLS",
              "ListenAndServeTLSEmbed",
              "ListenAndServeUNIX",
              "NewStreamReader",
              "ParseByteRange",
              "ParseHTTPDate",
              "ParseIPv4",
              "PipelineClient.Do",
              "PipelineClient.DoDeadline",
              "PipelineClient.DoTimeout",
              "PipelineClient.PendingRequests",
              "Post",
              "Request.Body",
              "Request.BodyGunzip",
              "Request.BodyInflate",
              "Request.BodyUnbrotli",
              "Request.BodyWriteTo",
              "Request.ContinueReadBody",
              "Request.ContinueReadBodyStream",
              "Request.Host",
              "Request.MultipartForm",
              "Request.PostArgs",
              "Request.Read",
              "Request.ReadBody",
              "Request.ReadLimitBody",
              "Request.SetBodyStreamWriter",
              "Request.SetHost",
              "Request.SetHostBytes",
              "Request.String",
              "Request.SwapBody",
              "Request.URI",
              "Request.Write",
              "Request.WriteTo",
              "RequestCtx.FormFile",
              "RequestCtx.FormValue",
              "RequestCtx.Host",
              "RequestCtx.IfModifiedSince",
              "RequestCtx.MultipartForm",
              "RequestCtx.Path",
              "RequestCtx.PostArgs",
              "RequestCtx.PostBody",
              "RequestCtx.QueryArgs",
              "RequestCtx.Redirect",
              "RequestCtx.RedirectBytes",
              "RequestCtx.SendFile",
              "RequestCtx.SendFileBytes",
              "RequestCtx.SetBodyStreamWriter",
              "RequestCtx.String",
              "RequestCtx.URI",
              "RequestHeader.Add",
              "RequestHeader.AddBytesK",
              "RequestHeader.AddBytesKV",
              "RequestHeader.AddBytesV",
              "RequestHeader.Read",
              "RequestHeader.ReadTrailer",
              "RequestHeader.Set",
              "RequestHeader.SetByteRange",
              "RequestHeader.SetBytesK",
              "RequestHeader.SetBytesKV",
              "RequestHeader.SetBytesV",
              "RequestHeader.SetCanonical",
              "RequestHeader.SetReferer",
              "RequestHeader.SetRefererBytes",
              "RequestHeader.Write",
              "Response.Body",
              "Response.BodyGunzip",
              "Response.BodyInflate",
              "Response.BodyUnbrotli",
              "Response.BodyWriteTo",
              "Response.Read",
              "Response.ReadBody",
              "Response.ReadLimitBody",
              "Response.SendFile",
              "Response.SetBodyStreamWriter",
              "Response.String",
              "Response.SwapBody",
              "Response.Write",
              "Response.WriteDeflate",
              "Response.WriteDeflateLevel",
              "Response.WriteGzip",
              "Response.WriteGzipLevel",
              "Response.WriteTo",
              "ResponseHeader.Add",
              "ResponseHeader.AddBytesK",
              "ResponseHeader.AddBytesKV",
              "ResponseHeader.AddBytesV",
              "ResponseHeader.AppendBytes",
              "ResponseHeader.Cookie",
              "ResponseHeader.DelClientCookie",
              "ResponseHeader.DelClientCookieBytes",
              "ResponseHeader.Header",
              "ResponseHeader.Read",
              "ResponseHeader.ReadTrailer",
              "ResponseHeader.Set",
              "ResponseHeader.SetBytesK",
              "ResponseHeader.SetBytesKV",
              "ResponseHeader.SetBytesV",
              "ResponseHeader.SetCanonical",
              "ResponseHeader.SetContentRange",
              "ResponseHeader.SetCookie",
              "ResponseHeader.SetLastModified",
              "ResponseHeader.String",
              "ResponseHeader.Write",
              "ResponseHeader.WriteTo",
              "SaveMultipartFile",
              "Serve",
              "ServeConn",
              "ServeFile",
              "ServeFileBytes",
              "ServeFileBytesUncompressed",
              "ServeFileUncompressed",
              "ServeTLS",
              "ServeTLSEmbed",
              "Server.AppendCert",
              "Server.AppendCertEmbed",
              "Server.ListenAndServe",
              "Server.ListenAndServeTLS",
              "Server.ListenAndServeTLSEmbed",
              "Server.ListenAndServeUNIX",
              "Server.Serve",
              "Server.ServeConn",
              "Server.ServeTLS",
              "Server.ServeTLSEmbed",
              "Server.Shutdown",
              "TCPDialer.Dial",
              "TCPDialer.DialDualStack",
              "TCPDialer.DialDualStackTimeout",
              "TCPDialer.DialTimeout",
              "URI.Parse",
              "URI.Update",
              "URI.UpdateBytes",
              "URI.WriteTo",
              "WriteBrotli",
              "WriteBrotliLevel",
              "WriteDeflate",
              "WriteDeflateLevel",
              "WriteGunzip",
              "WriteGzip",
              "WriteGzipLevel",
              "WriteInflate",
              "WriteMultipartForm",
              "WriteUnbrotli",
              "bigFileReader.Read",
              "bigFileReader.WriteTo",
              "ctxLogger.Printf",
              "firstByteReader.Read",
              "flushWriter.Write",
              "fsFile.NewReader",
              "fsSmallFileReader.WriteTo",
              "hijackConn.Close",
              "hijackConn.Read",
              "perIPConn.Close",
              "perIPConnCounter.Unregister",
              "pipelineConnClient.Do",
              "pipelineConnClient.DoDeadline",
              "pipelineConnClient.PendingRequests",
              "requestStream.Read",
              "statsWriter.Write",
              "tcpKeepaliveListener.Accept",
              "workerPool.Serve"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valyala/fasthttp/issues/1226"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valyala/fasthttp/releases/tag/v1.34.0"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866"
    }
  ],
  "credits": [
    {
      "name": "egovorukhin"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2022-0355"
  }
}