Question 1

Is there a bug in github.com/valyala/fasthttp?

Accepted Answer

Path traversal in github.com/valyala/fasthttp The package github.com/valyala/fasthttp before 1.34.0 is vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. **Note:** This security issue impacts Windows users only. Fixed in github.com/valyala/fasthttp 1.34.0.

Question 2

Is there a bug in github.com/valyala/fasthttp?

Accepted Answer

Path traversal in github.com/valyala/fasthttp The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory.

URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths. Fixed in github.com/valyala/fasthttp 1.34.0.

Severity	Affected	Fixed in	Title	Status	Source
high	any	1.34.0	Path traversal in github.com/valyala/fasthttp The package github.com/valyala/fasthttp before 1.34.0 is vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. Note: This security issue impacts Windows users only.	fixed	osv:GHSA-fx95-883v-4q4h
medium	any	1.34.0	Path traversal in github.com/valyala/fasthttp The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory. URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.	fixed	osv:GO-2022-0355

github.com/valyala/fasthttp known bugs