Path traversal on Windows in path/filepath

GO-2023-1568 · BIT-golang-2022-41722 · CVE-2022-41722

Published Feb 16, 2023 · Modified Feb 4, 2026

Description

A path traversal vulnerability exists in filepath.Clean on Windows.

On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.

After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".

References

REPORT https://go.dev/issue/57274
FIX https://go.dev/cl/468123
WEB https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes