path-traversal
Safeguard articles tagged "path-traversal" — guides, analysis, and best practices for software supply chain and application security.
42 articles
Harbor Arbitrary File Overwrite via Chart Upload Path Tra...
CVE-2020-13788 let authenticated users overwrite arbitrary files on Harbor via path traversal in Helm chart uploads. Here's the impact, fix, and remediation steps.
Path Traversal Prevention in JavaScript/Node.js with path...
path.normalize() alone will not stop path traversal in Node.js. Real CVEs like node-tar show why resolve-then-compare beats normalize-then-trust.
Path Traversal Prevention in PHP: Avoiding include() with...
PHP's include() turns a path traversal bug into remote code execution. See how CVE-2015-2213 and CVE-2022-1329 happened, and how to prevent it with allowlists.
Path Traversal Prevention in Python with os.path.realpath
os.path.normpath() and abspath() don't stop symlink-based path traversal. Here's how os.path.realpath() closes the gap, with real CVEs and a secure pattern.
Path Traversal Prevention in Go with filepath.Join Valida...
filepath.Join in Go only cleans a path, it doesn't restrict it to a base directory. Here's why that gap produced real CVEs, and how to close it for good.
Path Traversal Prevention in Java with Path.normalize
Path.normalize() cleans up "." and ".." in a Java path — but it doesn't stop path traversal. Here's why the Zip Slip pattern still slips past code review in 2026.
Path Traversal Prevention in C# with Path.GetFullPath
Path.GetFullPath resolves traversal sequences, but it isn't a sanitizer on its own. Here's how C# teams get containment checks wrong, and how to fix them.
Path Traversal Prevention in Ruby with File.realpath
How File.realpath stops path traversal in Ruby apps, why File.expand_path alone fails, and what real CVEs like Sprockets' CVE-2018-3760 reveal about secure file handling.
Path Traversal Prevention in Rust with fs::canonicalize
fs::canonicalize resolves `..` and symlinks into one absolute path, but it can't fix TOCTOU races, missing files, or Windows prefix quirks on its own. Here's the safe pattern.
Path Traversal Prevention in C++ with std::filesystem::we...
Why std::filesystem::weakly_canonical alone doesn't stop path traversal in C++, and the containment check every extraction, upload, or plugin loader needs beside it.
Windsurf CVE-2025-62353: Path Traversal in Cascade and the IDEsaster Wave
HiddenLayer's CVSS 9.8 Windsurf flaw exfiltrated secrets even with write_to_file on the deny list. The Cascade agent's filesystem trust broke wide open.
CVE-2018-1271: Path traversal in Spring MVC static resour...
A path traversal flaw in Spring MVC's static resource handling let attackers on Windows deployments escape the web root and read arbitrary files.