New Study Reveals Vulnerable Code Pattern Putting GitHub Projects at Risk of Path Traversal Attacks

A comprehensive research study has identified a widespread path traversal vulnerability (CWE-22) affecting 1,756 open-source GitHub projects, some of which are highly influential in the software ecosystem.

The vulnerability, present in a commonly used Node.js code pattern for creating static HTTP file servers, enables attackers to access files outside of restricted locations, potentially compromising confidentiality and availability of affected systems.

Widespread Path Traversal Vulnerability

The vulnerability stems from a pattern where developers use the path.join function with user-supplied input from URL pathnames without proper sanitization.

This allows attackers to exploit the pattern by using directory traversal sequences like “../” to access files outside intended directories.

According to the Report, many of the affected projects have critical vulnerabilities with CVSS scores higher than 9.0, as they can be exploited remotely without privileges.

The vulnerable code pattern first emerged around 2010 and has since ...