CVE-2022-35920 HIGH

CVE-2022-35920: Improper Limitation of a Pathname to a Restricted Directory in sanic

Vendor Sanic-Org
Product sanic
Weakness CWE-22 · Path traversal
Published August 1, 2022
Last update April 22, 2025

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Sanic is an opensource python web server/framework. Affected versions of sanic allow access to lateral directories when using `app.static` if using encoded `%2F` URLs. Parent directory traversal is not impacted. Users are advised to upgrade. There is no known workaround for this issue.

Key dates

02Disclosure timeline

August 1, 2022 CVE published
April 22, 2025 Record updated