Name of the Vulnerable Software and Affected Versions: tower-http (affected versions not specified)

Description: The issue arises from the tower http::services::fs::ServeDir function not correctly validating Windows paths, allowing access to files outside the intended directory. This means paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png, potentially enabling users to read files anywhere on the filesystem. This issue only affects Windows, with Linux and other Unix-like systems not being impacted.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.