Path Traversal Vulnerability in Go net/url (CVE-2022-32190)
The Go net/url package contains a path traversal flaw (CVE-2022-32190) where JoinPath fails to strip "../" segments, allowing attackers to access sensitive files, affecting versions prior to 1.18.6 and 1.19.1, and can be mitigated by upgrading to the patched releases.
Vulnerability Description
The Go language component net/url implements URL parsing and query escaping. A path traversal vulnerability exists in net/url because the JoinPath function does not remove "../" elements from appended relative paths, enabling attackers to read arbitrary files on the system. A proof‑of‑concept (PoC) for this issue is already available.
Vulnerability Details
Vulnerability Name
Go net/url Path Traversal Vulnerability
Vulnerability Type
Path Traversal
Discovery Date
2022/09/13
Impact Scope
Wide
MPS ID
MPS-2022-17132
CVE ID
CVE-2022-32190
CNVD ID
-
Affected Versions
net/url versions [1.19, 1.19.1) net/url versions
[1, 1.18.6)Mitigation
Upgrade Go to version 1.18.6, 1.19.1, or any later release that includes the fix.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.