Safeguard
Tag

path-traversal

Safeguard articles tagged "path-traversal" — guides, analysis, and best practices for software supply chain and application security.

42 articles

Vulnerability Analysis

Harbor Arbitrary File Overwrite via Chart Upload Path Tra...

CVE-2020-13788 let authenticated users overwrite arbitrary files on Harbor via path traversal in Helm chart uploads. Here's the impact, fix, and remediation steps.

Nov 22, 20258 min read
Industry Analysis

Path Traversal Prevention in JavaScript/Node.js with path...

path.normalize() alone will not stop path traversal in Node.js. Real CVEs like node-tar show why resolve-then-compare beats normalize-then-trust.

Oct 25, 20257 min read
Industry Analysis

Path Traversal Prevention in PHP: Avoiding include() with...

PHP's include() turns a path traversal bug into remote code execution. See how CVE-2015-2213 and CVE-2022-1329 happened, and how to prevent it with allowlists.

Oct 25, 20257 min read
Industry Analysis

Path Traversal Prevention in Python with os.path.realpath

os.path.normpath() and abspath() don't stop symlink-based path traversal. Here's how os.path.realpath() closes the gap, with real CVEs and a secure pattern.

Oct 24, 20257 min read
Industry Analysis

Path Traversal Prevention in Go with filepath.Join Valida...

filepath.Join in Go only cleans a path, it doesn't restrict it to a base directory. Here's why that gap produced real CVEs, and how to close it for good.

Oct 24, 20257 min read
Industry Analysis

Path Traversal Prevention in Java with Path.normalize

Path.normalize() cleans up "." and ".." in a Java path — but it doesn't stop path traversal. Here's why the Zip Slip pattern still slips past code review in 2026.

Oct 24, 20257 min read
Industry Analysis

Path Traversal Prevention in C# with Path.GetFullPath

Path.GetFullPath resolves traversal sequences, but it isn't a sanitizer on its own. Here's how C# teams get containment checks wrong, and how to fix them.

Oct 24, 20257 min read
Industry Analysis

Path Traversal Prevention in Ruby with File.realpath

How File.realpath stops path traversal in Ruby apps, why File.expand_path alone fails, and what real CVEs like Sprockets' CVE-2018-3760 reveal about secure file handling.

Oct 23, 20258 min read
Industry Analysis

Path Traversal Prevention in Rust with fs::canonicalize

fs::canonicalize resolves `..` and symlinks into one absolute path, but it can't fix TOCTOU races, missing files, or Windows prefix quirks on its own. Here's the safe pattern.

Oct 23, 20257 min read
Industry Analysis

Path Traversal Prevention in C++ with std::filesystem::we...

Why std::filesystem::weakly_canonical alone doesn't stop path traversal in C++, and the containment check every extraction, upload, or plugin loader needs beside it.

Oct 23, 20257 min read
Agent Security

Windsurf CVE-2025-62353: Path Traversal in Cascade and the IDEsaster Wave

HiddenLayer's CVSS 9.8 Windsurf flaw exfiltrated secrets even with write_to_file on the deny list. The Cascade agent's filesystem trust broke wide open.

Oct 21, 20256 min read
Vulnerability Analysis

CVE-2018-1271: Path traversal in Spring MVC static resour...

A path traversal flaw in Spring MVC's static resource handling let attackers on Windows deployments escape the web root and read arbitrary files.

Sep 22, 20257 min read
path-traversal (Page 3) — Safeguard Blog