The spacecookie library exposes the functions sanitizePath and sanitizeIfNotUrl intended to remove .. components from paths which can be used to prevent path traversal attacks. Due to erroneous comparison code, this elimination is not actually performed which has been remedied in version 1.0.0.3 by properly comparing using equalFilePath.

Any user of those respective functions of any version of spacecookie should upgrade to 1.0.0.3 or later. Note that the spacecookie server executable included in the same package is not affected by the problem since a separate check would reject any malicious path that gets by sanitizePath.