Egovorukhin

**Name of the Vulnerable Software and Affected Versions** github.com/valyala/fasthttp versions prior to 1.34.0 **Description** The issue is related to Directory Traversal via the `ServeFile` function due to improper sanitization. It can be exploited by using a backslash `%5c` character in the path. This security issue impacts Windows users only. The `fasthttp.FS` request handler is vulnerable to directory traversal attacks on Windows systems, allowing an attacker to serve files from outside the provided root directory. This is because URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths. **Recommendations** For versions prior to 1.34.0, update to version 1.34.0 or later to resolve the issue. As a temporary workaround, consider disabling the `ServeFile` function until a patch is available. Restrict access to the `fasthttp.FS` request handler to minimize the risk of exploitation. Avoid using the backslash `%5c` character in the path for the affected API endpoints until the issue is resolved.