CVE-2022-21221
directory traversal vulnerability in fasthttp (Go)
What is CVE-2022-21221 About?
This vulnerability affects the `fasthttp.FS` request handler on Windows systems, allowing for directory traversal attacks. Attackers can leverage improper URL path normalization to access files outside the intended root directory. Exploitation is straightforward for an attacker who can send crafted HTTP requests.
Affected Software
Technical Details
The fasthttp.FS request handler, when operating on Windows systems, fails to properly normalize URL paths, specifically regarding Windows path separators (backslashes \). An attacker can construct a URL using relative path components (e.g., \..\) that, combined with the lack of proper conversion or sanitization of backslashes into forward slashes, allows them to 'traverse' outside the configured root directory. For example, a request like http://example.com/staticsubdir\..\..\windows\win.ini could potentially fetch win.ini from the system drive, bypassing the intended restricted directory and serving arbitrary files.
What is the Impact of CVE-2022-21221?
Successful exploitation may allow attackers to read arbitrary files outside the intended web root, potentially leading to information disclosure, unauthorized access to sensitive data, or further system compromise.
What is the Exploitability of CVE-2022-21221?
Exploitation requires sending specially crafted HTTP requests to a server utilizing fasthttp.FS on a Windows operating system. The complexity is low, primarily involving including relative path components and Windows-style path separators in the URL. No authentication or specific privileges are required beyond the ability to send HTTP requests to the vulnerable service, making it a remote exploit. The critical precondition is the server running on Windows and using the affected fasthttp.FS handler. This significantly increases the likelihood of exploitation if the server is exposed to untrusted network traffic and handles file serving based on URL paths.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21221?
About the Fix from Resolved Security
The patch addresses CVE-2022-21221 by strengthening path normalization to also handle Windows-style backslash (\) directory traversal sequences, preventing bypass of security controls using backslash variants such as ..\, \.., and mixed slashes. It also adds prominent warnings to developers against using user-supplied paths directly with file-serving functions. This fix closes a loophole where attackers could use backslashes to traverse directories and access unauthorized files outside the intended web root on Windows systems.
Available Upgrade Options
- github.com/valyala/fasthttp
- <1.34.0 → Upgrade to 1.34.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/valyala/fasthttp/issues/1226
- https://osv.dev/vulnerability/GHSA-fx95-883v-4q4h
- https://nvd.nist.gov/vuln/detail/CVE-2022-21221
- https://github.com/valyala/fasthttp/releases/tag/v1.34.0
- https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1
- https://github.com/valyala/fasthttp/commit/15262ecf3c602364639d465daba1e7f3604d00e8
- https://github.com/valyala/fasthttp
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMVALYALAFASTHTTP-2407866
- https://github.com/valyala/fasthttp/issues/1226
- https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1
What are Similar Vulnerabilities to CVE-2022-21221?
Similar Vulnerabilities: CVE-2021-41773 , CVE-2021-42340 , CVE-2021-33758 , CVE-2021-40438 , CVE-2022-22947
