Apr 20, 2026·5 min read·15 visits
Zio versions prior to 0.22.2 suffer from a path traversal vulnerability in SubFileSystem, enabling attackers to escape the directory sandbox.
The Zio library for .NET contains a path confinement bypass vulnerability allowing attackers to escape the SubFileSystem restricted directory structure. An attacker can use trailing slashes and traversal segments to read and write files in the parent filesystem.
The Zio library provides a virtual filesystem abstraction for .NET applications. One of its core components is the SubFileSystem class, which establishes a restricted directory view or sandbox within a larger parent filesystem. This mechanism isolates file operations to a specific sub-directory structure.
GHSA-h39g-6x3c-7fq9 identifies a path traversal vulnerability (CWE-22) affecting all versions of Zio prior to 0.22.2. The vulnerability allows an attacker to escape the SubFileSystem restriction by supplying specifically crafted directory paths. This circumvents the intended isolation boundary and exposes the parent filesystem to unauthorized access.
Successful exploitation grants the ability to read or write files outside the defined sandbox, bounded only by the permissions of the parent filesystem itself. If the parent filesystem is mapped directly to the host operating system, this flaw provides direct access to the underlying host disk.
The vulnerability originates from a logical flaw within the UPath.ValidateAndNormalize method. This internal function is responsible for sanitizing path inputs and standardizing directory separators. The method contained a performance optimization that prematurely halted validation if a path ended with a trailing separator.
When a path such as /../ was processed, the parser identified the trailing slash and triggered an early return. This returned the substring /.. before the normalization logic evaluated the path semantics. Consequently, the traversal segment .. bypassed the checks designed to prevent escaping the root directory.
This normalization failure compounded an implicit trust issue within the SubFileSystem class. The ConvertPathToDelegate method assumed that any incoming UPath object was thoroughly validated. It applied a relative path conversion and combined it with the designated sandbox root.
Because the crafted path retained its unvalidated traversal segment, combining the sandbox root /jail with .. resolved directly to the root of the parent filesystem. The lack of explicit perimeter validation after combination completed the bypass.
The patch for this vulnerability addresses both the normalization bypass and the boundary validation logic. The fix removes the flawed early-return optimization in UPath.cs. By removing this block, the library ensures that all paths undergo complete semantic parsing regardless of trailing characters.
The critical remediation occurs within SubFileSystem.ConvertPathToDelegate. The patched version introduces an explicit boundary check using the IsInDirectory method. This validates the resolved path against the intended sandbox root before returning it to the caller.
protected override UPath ConvertPathToDelegate(UPath path)
{
var safePath = path.ToRelative();
var delegatePath = SubPath / safePath;
// New explicit boundary check prevents traversal
if (delegatePath != SubPath && !delegatePath.IsInDirectory(SubPath, true))
{
throw new UnauthorizedAccessException($"The path `{path}` escapes the sub filesystem root `{SubPath}`");
}
return delegatePath;
}This defensive programming approach ensures that even if a malformed path bypasses earlier validation steps, the final resolved location remains constrained. The patch completely remediates the known exploitation path for this flaw.
Exploiting this vulnerability requires the attacker to supply a crafted directory path to an endpoint or service interacting with a SubFileSystem instance. The input vector typically involves file upload, download, or management interfaces built on the Zio framework. No prior authentication is inherently required by the vulnerability itself, though the application logic may impose such prerequisites.
The attacker provides a path string ending in a traversal sequence and a trailing slash, such as /../. When the application passes this input to a SubFileSystem operation, the UPath parser incorrectly normalizes the string. The resulting UPath object retains the parent directory reference.
The SubFileSystem resolves this payload against its configured jail directory. The traversal sequence maps the operation to the parent filesystem root. Subsequent file operations, such as reading a configuration file or writing a malicious payload, execute successfully outside the intended sandbox boundary.
The vulnerability carries a CVSS 3.1 base score of 5.9, reflecting a medium severity rating. The impact is primarily categorized as limited confidentiality and integrity compromise. The scope of access depends entirely on the configuration of the parent filesystem wrapping the SubFileSystem.
If the parent filesystem is an in-memory construct (MemoryFileSystem), the attacker gains access to other virtual files and directories stored within that memory space. While concerning, this limits the attack surface to the application's internal data structures and prevents direct system compromise.
However, if the parent filesystem wraps the physical host filesystem (PhysicalFileSystem), the vulnerability escalates significantly. The attacker can traverse outward to read sensitive operating system files or write arbitrary data to unauthorized directories. This configuration increases the risk of broader system exploitation.
The maintainers of the Zio library resolved this vulnerability in version 0.22.2. Organizations utilizing the package must update their dependencies to this version or later. The update applies the necessary code modifications to prevent both the normalization bypass and the boundary escape.
Development teams should verify their NuGet package configurations and ensure continuous integration pipelines pull the patched version. For applications where immediate updates are not feasible, implement manual path sanitization before passing user input to any Zio filesystem operation.
As an additional defensive measure, developers should explicitly validate that user-provided paths do not contain traversal characters (..) prior to UPath construction. Restricting the underlying parent filesystem to the least privilege necessary will further reduce the potential impact of similar confinement flaws.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Zio xoofx | < 0.22.2 | 0.22.2 |
| Attribute | Detail |
|---|---|
| CWE | CWE-22 |
| CVSS Score | 5.9 |
| Attack Vector | Network |
| Impact | Confidentiality (Low), Integrity (Low) |
| Exploit Status | Proof of Concept |
| Fixed Version | 0.22.2 |
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.
An authorization bypass vulnerability in the Open Policy Agent (OPA) integration of the Skipper HTTP router allows unauthenticated remote attackers to bypass OPA policy inspection. When an incoming HTTP request declares a Content-Length exceeding Skipper's configured maxBodyBytes limit, Skipper bypasses body parsing and forwards an empty document to OPA, while transmitting the full, uninspected payload intact to the upstream backend.
CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.
An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.
A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.
An improper input validation vulnerability (CWE-20) exists in vLLM versions 0.5.5 through 0.17.2 when processing multi-channel audio tracks. By relying on librosa's flat arithmetic mean instead of physical downmixing standards, vLLM blends sub-audible low-frequency or surround channels with equal weight. This enables an attacker to inject adversarial prompt sequences that bypass human moderation but are parsed clearly by speech-to-text models.