CVE-2026-42351
Directory Traversal in pygeoapi STAC FileSystemProvider
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| geopy | pygeoapi | From 0.23.0 (inc) to 0.23.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in pygeoapi versions from 0.23.0 to before 0.23.3, specifically in the STAC FileSystemProvider plugin. It involves raw string path concatenation that can allow unauthorized requests to access directories within STAC collection-based collections.
The issue occurs when pygeoapi is deployed without a proxy or web front end that normalizes URLs containing '..' path traversal sequences, combined with a resource of type stac-collection defined in the configuration.
This vulnerability was fixed in version 0.23.3.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized exposure of directories containing STAC collections due to a path concatenation flaw in pygeoapi's STAC FileSystemProvider plugin. Such unauthorized data exposure could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.
However, the provided information does not specify the nature of the data exposed or whether it includes personal or sensitive information covered by these regulations.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access directories and potentially sensitive files without authentication by exploiting the path traversal issue.
Since the vulnerability allows unauthorized directory exposure, it can lead to information disclosure, which may compromise confidentiality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade pygeoapi to version 0.23.3 or later, where the issue has been patched.
Additionally, deploying pygeoapi behind a proxy or web front end that normalizes URLs containing '..' values can help prevent exploitation.