Name of the Vulnerable Software and Affected Versions: Go application using router.Static and osfs.FS (affected versions not specified)

Description: The issue allows clients to access any file on the host file system using relative paths because the requested path is not sanitized and . and .. segments are accepted. The files will be returned as a response, provided the system user running the Go application has read access to the requested file.

Recommendations: As a workaround, use fsutil.NewEmbed(embeddedFS) from the goyave.dev/goyave/v5/util/fsutil package to serve static content using Router.Static instead of &osfs.FS. This will ensure that the embedded file systems are rooted to the specified directory, making it impossible to navigate outside of the developers' intended directory.