GHSA-H39G-6X3C-7FQ9
GHSA-h39g-6x3c-7fq9: Path Confinement Bypass in Zio SubFileSystem
Alon Barad
Software EngineerApr 20, 2026·5 min read·13 visits
Executive Summary (TL;DR)
Zio versions prior to 0.22.2 suffer from a path traversal vulnerability in SubFileSystem, enabling attackers to escape the directory sandbox.
The Zio library for .NET contains a path confinement bypass vulnerability allowing attackers to escape the SubFileSystem restricted directory structure. An attacker can use trailing slashes and traversal segments to read and write files in the parent filesystem.
Vulnerability Overview
The Zio library provides a virtual filesystem abstraction for .NET applications. One of its core components is the SubFileSystem class, which establishes a restricted directory view or sandbox within a larger parent filesystem. This mechanism isolates file operations to a specific sub-directory structure.
GHSA-h39g-6x3c-7fq9 identifies a path traversal vulnerability (CWE-22) affecting all versions of Zio prior to 0.22.2. The vulnerability allows an attacker to escape the SubFileSystem restriction by supplying specifically crafted directory paths. This circumvents the intended isolation boundary and exposes the parent filesystem to unauthorized access.
Successful exploitation grants the ability to read or write files outside the defined sandbox, bounded only by the permissions of the parent filesystem itself. If the parent filesystem is mapped directly to the host operating system, this flaw provides direct access to the underlying host disk.
Root Cause Analysis
The vulnerability originates from a logical flaw within the UPath.ValidateAndNormalize method. This internal function is responsible for sanitizing path inputs and standardizing directory separators. The method contained a performance optimization that prematurely halted validation if a path ended with a trailing separator.
When a path such as /../ was processed, the parser identified the trailing slash and triggered an early return. This returned the substring /.. before the normalization logic evaluated the path semantics. Consequently, the traversal segment .. bypassed the checks designed to prevent escaping the root directory.
This normalization failure compounded an implicit trust issue within the SubFileSystem class. The ConvertPathToDelegate method assumed that any incoming UPath object was thoroughly validated. It applied a relative path conversion and combined it with the designated sandbox root.
Because the crafted path retained its unvalidated traversal segment, combining the sandbox root /jail with .. resolved directly to the root of the parent filesystem. The lack of explicit perimeter validation after combination completed the bypass.
Code Analysis
The patch for this vulnerability addresses both the normalization bypass and the boundary validation logic. The fix removes the flawed early-return optimization in UPath.cs. By removing this block, the library ensures that all paths undergo complete semantic parsing regardless of trailing characters.
The critical remediation occurs within SubFileSystem.ConvertPathToDelegate. The patched version introduces an explicit boundary check using the IsInDirectory method. This validates the resolved path against the intended sandbox root before returning it to the caller.
protected override UPath ConvertPathToDelegate(UPath path)
{
var safePath = path.ToRelative();
var delegatePath = SubPath / safePath;
// New explicit boundary check prevents traversal
if (delegatePath != SubPath && !delegatePath.IsInDirectory(SubPath, true))
{
throw new UnauthorizedAccessException($"The path `{path}` escapes the sub filesystem root `{SubPath}`");
}
return delegatePath;
}This defensive programming approach ensures that even if a malformed path bypasses earlier validation steps, the final resolved location remains constrained. The patch completely remediates the known exploitation path for this flaw.
Exploitation Methodology
Exploiting this vulnerability requires the attacker to supply a crafted directory path to an endpoint or service interacting with a SubFileSystem instance. The input vector typically involves file upload, download, or management interfaces built on the Zio framework. No prior authentication is inherently required by the vulnerability itself, though the application logic may impose such prerequisites.
The attacker provides a path string ending in a traversal sequence and a trailing slash, such as /../. When the application passes this input to a SubFileSystem operation, the UPath parser incorrectly normalizes the string. The resulting UPath object retains the parent directory reference.
The SubFileSystem resolves this payload against its configured jail directory. The traversal sequence maps the operation to the parent filesystem root. Subsequent file operations, such as reading a configuration file or writing a malicious payload, execute successfully outside the intended sandbox boundary.
Impact Assessment
The vulnerability carries a CVSS 3.1 base score of 5.9, reflecting a medium severity rating. The impact is primarily categorized as limited confidentiality and integrity compromise. The scope of access depends entirely on the configuration of the parent filesystem wrapping the SubFileSystem.
If the parent filesystem is an in-memory construct (MemoryFileSystem), the attacker gains access to other virtual files and directories stored within that memory space. While concerning, this limits the attack surface to the application's internal data structures and prevents direct system compromise.
However, if the parent filesystem wraps the physical host filesystem (PhysicalFileSystem), the vulnerability escalates significantly. The attacker can traverse outward to read sensitive operating system files or write arbitrary data to unauthorized directories. This configuration increases the risk of broader system exploitation.
Remediation and Mitigation
The maintainers of the Zio library resolved this vulnerability in version 0.22.2. Organizations utilizing the package must update their dependencies to this version or later. The update applies the necessary code modifications to prevent both the normalization bypass and the boundary escape.
Development teams should verify their NuGet package configurations and ensure continuous integration pipelines pull the patched version. For applications where immediate updates are not feasible, implement manual path sanitization before passing user input to any Zio filesystem operation.
As an additional defensive measure, developers should explicitly validate that user-provided paths do not contain traversal characters (..) prior to UPath construction. Restricting the underlying parent filesystem to the least privilege necessary will further reduce the potential impact of similar confinement flaws.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
5.9/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NAffected Systems
.NET applications utilizing the Zio libraryZio SubFileSystem components processing user-supplied paths
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Zio xoofx | < 0.22.2 | 0.22.2 |
| Attribute | Detail |
|---|---|
| CWE | CWE-22 |
| CVSS Score | 5.9 |
| Attack Vector | Network |
| Impact | Confidentiality (Low), Integrity (Low) |
| Exploit Status | Proof of Concept |
| Fixed Version | 0.22.2 |
MITRE ATT&CK Mapping
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Vulnerability Timeline
Fix commit merged into xoofx/zio repository
2026-04-17
GitHub Advisory GHSA-h39g-6x3c-7fq9 published
2026-04-18
Zio version 0.22.2 released on NuGet
2026-04-18
