CVE-2026-8023
Received Received - Intake

Path Traversal in Zephyr RTOS HTTP Server

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Zephyr Project

Description
Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client-url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, ..., "%s%s", static_fs_detail-fs_path, client-url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /<prefix/../../<file is dispatched to the handler and, after the underlying filesystem (e.g. LittleFS/FAT) resolves the .. segments, escapes the configured web root, letting an unauthenticated remote client read arbitrary readable files on the mounted volume (information disclosure). The HTTP server requires no TLS or authentication to reach this path. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal. Affects releases v4.0.0 through v4.4.0 for deployments that register a static-filesystem resource.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-8023

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 4.0.0 (inc) to 4.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Zephyr's HTTP server static-filesystem resource type, which serves files from a configured root directory. Before the fix, the server did not properly resolve path traversal sequences like "./.." in the URL path. As a result, an attacker could craft a request with path traversal sequences that bypass the intended root directory restriction.

The server concatenated the raw, attacker-controlled URL path directly to the root directory path without sanitizing it, allowing the attacker to escape the web root directory and access arbitrary readable files on the mounted filesystem.

This could be exploited remotely without any authentication or TLS, simply by sending a specially crafted HTTP request.

The fix involved adding a function to canonicalize and remove dot segments from the URL path before accessing files, preventing directory traversal attacks.

Impact Analysis

This vulnerability can lead to information disclosure by allowing an unauthenticated remote attacker to read arbitrary files on the device's filesystem that are normally protected.

Since the attacker can access files outside the intended web root, sensitive data stored on the device could be exposed.

The vulnerability does not allow modification or denial of service, but the confidentiality impact is high.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Zephyr HTTP server is updated to a version later than v4.4.0 where the fix has been applied.

The fix involves canonicalizing the URL path to remove dot segments (./ and ../) before resource lookup, preventing directory traversal attacks.

If updating immediately is not possible, consider disabling the static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS) or restricting access to the HTTP server to trusted networks only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart