CVE-2026-24469
Path Traversal in C++ HTTP Server Allows Arbitrary File Read
Publication date: 2026-01-24
Last updated on: 2026-01-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frustratedproton | http-server | to 1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Path Traversal flaw in the C++ HTTP Server's RequestHandler::handleRequest method. It occurs because the server takes a filename from the URL path without sanitizing it and directly concatenates it to the base files directory path. An attacker can exploit this by sending a crafted HTTP GET request containing '../' sequences, allowing them to access files outside the intended directory on the server's filesystem without authentication. [1]
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated remote attacker to read arbitrary files on the server's filesystem. This leads to a high impact on confidentiality as sensitive files could be exposed. However, it does not affect the integrity or availability of the server. The attacker can gain access to files that should be restricted, potentially leaking sensitive information. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP GET requests to the server for suspicious path traversal patterns such as '../' sequences in the URL path, especially requests starting with '/files/'. For example, you can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests and filter for those containing '../'. A simple command to capture such requests using tcpdump might be: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '../'. Additionally, reviewing server logs for GET requests with '../' in the path (e.g., grep '../' access.log) can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing input sanitization to reject any HTTP request paths containing '..' sequences to prevent directory traversal. Additionally, canonicalize and validate requested paths using absolute path resolution to ensure the requested file resides within the intended files_directory. Since no patch was available at the time of publication, blocking or filtering suspicious requests at the network or web server level (e.g., using a web application firewall to block requests with '../' in the URL) can help reduce risk. Ultimately, updating the application code to include path validation as suggested (using C++17 std::filesystem to check paths) is necessary for a proper fix. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated remote attacker to read arbitrary files on the server filesystem, leading to a high confidentiality loss. Such unauthorized data exposure can result in non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access. Therefore, the vulnerability negatively impacts compliance by risking unauthorized disclosure of protected data. [1]