CVE-2022-21221

Name of the Vulnerable Software and Affected Versions github.com/valyala/fasthttp versions prior to 1.34.0

Description The issue is related to Directory Traversal via the ServeFile function due to improper sanitization. It can be exploited by using a backslash %5c character in the path. This security issue impacts Windows users only. The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, allowing an attacker to serve files from outside the provided root directory. This is because URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.

Recommendations For versions prior to 1.34.0, update to version 1.34.0 or later to resolve the issue. As a temporary workaround, consider disabling the ServeFile function until a patch is available. Restrict access to the fasthttp.FS request handler to minimize the risk of exploitation. Avoid using the backslash %5c character in the path for the affected API endpoints until the issue is resolved.