Safeguard
Tag

path-traversal

Safeguard articles tagged "path-traversal" — guides, analysis, and best practices for software supply chain and application security.

42 articles

Application Security

Path traversal, decoded: canonicalization patterns across languages

CVE-2021-41773 turned a broken path-normalization routine in Apache 2.4.49 into remote code execution. Here's how canonicalization stops the whole bug class.

Jul 15, 20266 min read
Application Security

Secure file uploads in Node.js and Fastify

CWE-22 path traversal climbed three spots to #5 on the 2024 CWE Top 25. Here's how to validate, store, and scan Fastify uploads without trusting the client.

Jul 15, 20266 min read
Application Security

Detecting and preventing Zip Slip and path traversal in Java

Snyk's 2018 Zip Slip disclosure hit Amazon, Apache, and LinkedIn projects at once — here's how the flaw still hides in Java archive code today, and how to catch it.

Jul 14, 20265 min read
Application Security

Preventing path traversal in Node.js file upload and serving code

path.join() doesn't stop ../../etc/passwd — CVE-2024-12905 and Zip Slip show why Node.js needs explicit containment checks, not just path normalization.

Jul 14, 20266 min read
Open Source Security

Common Go module vulnerability patterns and how govulncheck helps

Two real CVEs in Go's path/filepath package and a growing SSRF problem in webhook handlers show why Go's safety guarantees don't cover application logic.

Jul 14, 20266 min read
Open Source Security

Recurring vulnerability patterns in the PyPI ecosystem

PyYAML shipped two rounds of deserialization fixes in under two years — CVE-2017-18342 and CVE-2020-14343 — because the underlying pattern kept resurfacing.

Jul 14, 20266 min read
Application Security

Secure URL Encoding and Decoding in Java

Java's URLEncoder turns spaces into + instead of %20 — a form-encoding quirk that, mixed with double-decoding, still causes path-traversal bugs like CVE-2025-41242 in 2025.

Jul 8, 20266 min read
Security Guides

tar (node-tar) Security Guide (2026)

node-tar is the archive engine underneath npm install itself — and a cluster of path-traversal and symlink CVEs made 'just extracting a tarball' one of the more dangerous operations in the Node.js ecosystem.

Jul 7, 20266 min read
Application Security

Apache Struts and the recurring pattern of path-traversal and RCE bugs

Equifax lost data on 147 million people to one unpatched Struts CVE in 2017 — and the same class of bug resurfaced in Struts as recently as December 2023.

Jul 7, 20266 min read
Vulnerability Guides

Path Traversal Vulnerability Prevention, Explained

One unvalidated filename and `../../../etc/passwd` reads files you never meant to expose — or worse, executes them. Here's how path traversal works and how to build file access that can't be tricked.

Jul 6, 20265 min read
Application Security

Zip Slip vulnerability cheat sheet

A concrete, question-driven cheat sheet on Zip Slip: how the archive-extraction path traversal bug works, real CVEs, and how to detect and fix it.

May 29, 20268 min read
Application Security

Preventing path traversal (directory traversal) attacks

Path traversal lets attackers read or write files outside a web app's directory using ../ sequences. Here's how it works and how to stop it.

May 29, 20267 min read
path-traversal — Safeguard Blog