GHSA-h39g-6x3c-7fq9: Path Confinement Bypass in Zio SubFileSystem

The Zio library provides a virtual filesystem abstraction for .NET applications. One of its core components is the SubFileSystem class, which establishes a restricted directory view or sandbox within a larger parent filesystem. This mechanism isolates file operations to a specific sub-directory structure.

GHSA-h39g-6x3c-7fq9 identifies a path traversal vulnerability (CWE-22) affecting all versions of Zio prior to 0.22.2. The vulnerability allows an attacker to escape the SubFileSystem restriction by supplying specifically crafted directory paths. This circumvents the intended isolation boundary and exposes the parent filesystem to unauthorized access.

Successful exploitation grants the ability to read or write files outside the defined sandbox, bounded only by the permissions of the parent filesystem itself. If the parent filesystem is mapped directly to the host operating system, this flaw provides direct access to the underlying host disk.

The vulnerability originates from a logical flaw within the UPath.ValidateAndNormalize method. This internal function is responsible for sanitizing path inputs and standardizing directory separators. The method contained a performance optimization that prematurely halted validation if a path ended with a trailing separator.

When a path such as /../ was processed, the parser identified the trailing slash and triggered an early return. This returned the substring /.. before the normalization logic evaluated the path semantics. Consequently, the traversal segment .. bypassed the checks designed to prevent escaping the root directory.

This normalization failure compounded an implicit trust issue within the SubFileSystem class. The ConvertPathToDelegate method assumed that any incoming UPath object was thoroughly validated. It applied a relative path conversion and combined it with the designated sandbox root.

Because the crafted path retained its unvalidated traversal segment, combining the sandbox root /jail with .. resolved directly to the root of the parent filesystem. The lack of explicit perimeter validation after combination completed the bypass.

The patch for this vulnerability addresses both the normalization bypass and the boundary validation logic. The fix removes the flawed early-return optimization in UPath.cs. By removing this block, the library ensures that all paths undergo complete semantic parsing regardless of trailing characters.

The critical remediation occurs within SubFileSystem.ConvertPathToDelegate. The patched version introduces an explicit boundary check using the IsInDirectory method. This validates the resolved path against the intended sandbox root before returning it to the caller.

protected override UPath ConvertPathToDelegate(UPath path)
{
    var safePath = path.ToRelative();
    var delegatePath = SubPath / safePath;
    // New explicit boundary check prevents traversal
    if (delegatePath != SubPath && !delegatePath.IsInDirectory(SubPath, true))
    {
        throw new UnauthorizedAccessException($"The path `{path}` escapes the sub filesystem root `{SubPath}`");
    }
    return delegatePath;
}

This defensive programming approach ensures that even if a malformed path bypasses earlier validation steps, the final resolved location remains constrained. The patch completely remediates the known exploitation path for this flaw.

Exploiting this vulnerability requires the attacker to supply a crafted directory path to an endpoint or service interacting with a SubFileSystem instance. The input vector typically involves file upload, download, or management interfaces built on the Zio framework. No prior authentication is inherently required by the vulnerability itself, though the application logic may impose such prerequisites.

The attacker provides a path string ending in a traversal sequence and a trailing slash, such as /../. When the application passes this input to a SubFileSystem operation, the UPath parser incorrectly normalizes the string. The resulting UPath object retains the parent directory reference.

The SubFileSystem resolves this payload against its configured jail directory. The traversal sequence maps the operation to the parent filesystem root. Subsequent file operations, such as reading a configuration file or writing a malicious payload, execute successfully outside the intended sandbox boundary.

The vulnerability carries a CVSS 3.1 base score of 5.9, reflecting a medium severity rating. The impact is primarily categorized as limited confidentiality and integrity compromise. The scope of access depends entirely on the configuration of the parent filesystem wrapping the SubFileSystem.

If the parent filesystem is an in-memory construct (MemoryFileSystem), the attacker gains access to other virtual files and directories stored within that memory space. While concerning, this limits the attack surface to the application's internal data structures and prevents direct system compromise.

However, if the parent filesystem wraps the physical host filesystem (PhysicalFileSystem), the vulnerability escalates significantly. The attacker can traverse outward to read sensitive operating system files or write arbitrary data to unauthorized directories. This configuration increases the risk of broader system exploitation.

The maintainers of the Zio library resolved this vulnerability in version 0.22.2. Organizations utilizing the package must update their dependencies to this version or later. The update applies the necessary code modifications to prevent both the normalization bypass and the boundary escape.

Development teams should verify their NuGet package configurations and ensure continuous integration pipelines pull the patched version. For applications where immediate updates are not feasible, implement manual path sanitization before passing user input to any Zio filesystem operation.

As an additional defensive measure, developers should explicitly validate that user-provided paths do not contain traversal characters (..) prior to UPath construction. Restricting the underlying parent filesystem to the least privilege necessary will further reduce the potential impact of similar confinement flaws.