CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-H39G-6X3C-7FQ9

GHSA-h39g-6x3c-7fq9: Path Confinement Bypass in Zio SubFileSystem

Alon Barad
Alon Barad
Software Engineer

Apr 20, 2026·5 min read·15 visits

Executive Summary (TL;DR)

Zio versions prior to 0.22.2 suffer from a path traversal vulnerability in SubFileSystem, enabling attackers to escape the directory sandbox.

The Zio library for .NET contains a path confinement bypass vulnerability allowing attackers to escape the SubFileSystem restricted directory structure. An attacker can use trailing slashes and traversal segments to read and write files in the parent filesystem.

Vulnerability Overview

The Zio library provides a virtual filesystem abstraction for .NET applications. One of its core components is the SubFileSystem class, which establishes a restricted directory view or sandbox within a larger parent filesystem. This mechanism isolates file operations to a specific sub-directory structure.

GHSA-h39g-6x3c-7fq9 identifies a path traversal vulnerability (CWE-22) affecting all versions of Zio prior to 0.22.2. The vulnerability allows an attacker to escape the SubFileSystem restriction by supplying specifically crafted directory paths. This circumvents the intended isolation boundary and exposes the parent filesystem to unauthorized access.

Successful exploitation grants the ability to read or write files outside the defined sandbox, bounded only by the permissions of the parent filesystem itself. If the parent filesystem is mapped directly to the host operating system, this flaw provides direct access to the underlying host disk.

Root Cause Analysis

The vulnerability originates from a logical flaw within the UPath.ValidateAndNormalize method. This internal function is responsible for sanitizing path inputs and standardizing directory separators. The method contained a performance optimization that prematurely halted validation if a path ended with a trailing separator.

When a path such as /../ was processed, the parser identified the trailing slash and triggered an early return. This returned the substring /.. before the normalization logic evaluated the path semantics. Consequently, the traversal segment .. bypassed the checks designed to prevent escaping the root directory.

This normalization failure compounded an implicit trust issue within the SubFileSystem class. The ConvertPathToDelegate method assumed that any incoming UPath object was thoroughly validated. It applied a relative path conversion and combined it with the designated sandbox root.

Because the crafted path retained its unvalidated traversal segment, combining the sandbox root /jail with .. resolved directly to the root of the parent filesystem. The lack of explicit perimeter validation after combination completed the bypass.

Code Analysis

The patch for this vulnerability addresses both the normalization bypass and the boundary validation logic. The fix removes the flawed early-return optimization in UPath.cs. By removing this block, the library ensures that all paths undergo complete semantic parsing regardless of trailing characters.

The critical remediation occurs within SubFileSystem.ConvertPathToDelegate. The patched version introduces an explicit boundary check using the IsInDirectory method. This validates the resolved path against the intended sandbox root before returning it to the caller.

protected override UPath ConvertPathToDelegate(UPath path)
{
    var safePath = path.ToRelative();
    var delegatePath = SubPath / safePath;
    // New explicit boundary check prevents traversal
    if (delegatePath != SubPath && !delegatePath.IsInDirectory(SubPath, true))
    {
        throw new UnauthorizedAccessException($"The path `{path}` escapes the sub filesystem root `{SubPath}`");
    }
    return delegatePath;
}

This defensive programming approach ensures that even if a malformed path bypasses earlier validation steps, the final resolved location remains constrained. The patch completely remediates the known exploitation path for this flaw.

Exploitation Methodology

Exploiting this vulnerability requires the attacker to supply a crafted directory path to an endpoint or service interacting with a SubFileSystem instance. The input vector typically involves file upload, download, or management interfaces built on the Zio framework. No prior authentication is inherently required by the vulnerability itself, though the application logic may impose such prerequisites.

The attacker provides a path string ending in a traversal sequence and a trailing slash, such as /../. When the application passes this input to a SubFileSystem operation, the UPath parser incorrectly normalizes the string. The resulting UPath object retains the parent directory reference.

The SubFileSystem resolves this payload against its configured jail directory. The traversal sequence maps the operation to the parent filesystem root. Subsequent file operations, such as reading a configuration file or writing a malicious payload, execute successfully outside the intended sandbox boundary.

Impact Assessment

The vulnerability carries a CVSS 3.1 base score of 5.9, reflecting a medium severity rating. The impact is primarily categorized as limited confidentiality and integrity compromise. The scope of access depends entirely on the configuration of the parent filesystem wrapping the SubFileSystem.

If the parent filesystem is an in-memory construct (MemoryFileSystem), the attacker gains access to other virtual files and directories stored within that memory space. While concerning, this limits the attack surface to the application's internal data structures and prevents direct system compromise.

However, if the parent filesystem wraps the physical host filesystem (PhysicalFileSystem), the vulnerability escalates significantly. The attacker can traverse outward to read sensitive operating system files or write arbitrary data to unauthorized directories. This configuration increases the risk of broader system exploitation.

Remediation and Mitigation

The maintainers of the Zio library resolved this vulnerability in version 0.22.2. Organizations utilizing the package must update their dependencies to this version or later. The update applies the necessary code modifications to prevent both the normalization bypass and the boundary escape.

Development teams should verify their NuGet package configurations and ensure continuous integration pipelines pull the patched version. For applications where immediate updates are not feasible, implement manual path sanitization before passing user input to any Zio filesystem operation.

As an additional defensive measure, developers should explicitly validate that user-provided paths do not contain traversal characters (..) prior to UPath construction. Restricting the underlying parent filesystem to the least privilege necessary will further reduce the potential impact of similar confinement flaws.

Official Patches

xoofxZio version 0.22.2 release notes

Fix Analysis (1)

Technical Appendix

CVSS Score
5.9/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Systems

.NET applications utilizing the Zio libraryZio SubFileSystem components processing user-supplied paths

Affected Versions Detail

Product
Affected Versions
Fixed Version
Zio
xoofx
< 0.22.20.22.2
AttributeDetail
CWECWE-22
CVSS Score5.9
Attack VectorNetwork
ImpactConfidentiality (Low), Integrity (Low)
Exploit StatusProof of Concept
Fixed Version0.22.2

MITRE ATT&CK Mapping

T1083File and Directory Discovery
Discovery
T1567Exfiltration Over Web Service
Exfiltration
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Vulnerability Timeline

Fix commit merged into xoofx/zio repository
2026-04-17
GitHub Advisory GHSA-h39g-6x3c-7fq9 published
2026-04-18
Zio version 0.22.2 released on NuGet
2026-04-18

References & Sources

  • [1]GitHub Advisory GHSA-h39g-6x3c-7fq9
  • [2]OSV Record
  • [3]Zio NuGet Package

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
0 views•7 min read
•about 5 hours ago•GHSA-8QQM-FP2Q-V734
8.2

GHSA-8QQM-FP2Q-V734: Authorization Bypass in Skipper's Open Policy Agent Integration

An authorization bypass vulnerability in the Open Policy Agent (OPA) integration of the Skipper HTTP router allows unauthenticated remote attackers to bypass OPA policy inspection. When an incoming HTTP request declares a Content-Length exceeding Skipper's configured maxBodyBytes limit, Skipper bypasses body parsing and forwards an empty document to OPA, while transmitting the full, uninspected payload intact to the upstream backend.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 7 hours ago•CVE-2026-53597
8.7

CVE-2026-53597: Remote Code Execution in Microsoft prompty via Insecure gray-matter Parsing

CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 8 hours ago•GHSA-RJWR-M7QX-3FJR
8.6

GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.

Alon Barad
Alon Barad
6 views•7 min read
•about 9 hours ago•CVE-2026-55646
6.5

CVE-2026-55646: Remote Denial of Service via Memory Exhaustion in vLLM Speech-to-Text Endpoints

A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.

Alon Barad
Alon Barad
7 views•5 min read
•about 10 hours ago•CVE-2026-34760
5.9

CVE-2026-34760: Adversarial Prompt Injection via Unweighted Audio Downmixing in vLLM

An improper input validation vulnerability (CWE-20) exists in vLLM versions 0.5.5 through 0.17.2 when processing multi-channel audio tracks. By relying on librosa's flat arithmetic mean instead of physical downmixing standards, vLLM blends sub-audible low-frequency or surround channels with equal weight. This enables an attacker to inject adversarial prompt sequences that bypass human moderation but are parsed clearly by speech-to-text models.

Amit Schendel
Amit Schendel
7 views•8 min read