Vulnerable Library - github.com/valyala/fasthttp-v1.31.0

Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http

Dependency Hierarchy:

• github.com/dysnix/predictkube-libs-v0.0.3 (Root Library)
  • ❌ github.com/valyala/fasthttp-v1.31.0 (Vulnerable Library)

Found in HEAD commit: 4213ed86dc859b83c4f126853835fab3dc987b5d

Found in base branch: main

Vulnerability Details

The package github.com/valyala/fasthttp before 1.34.0 are vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. Note: This security issue impacts Windows users only.

Publish Date: 2022-03-17

URL: CVE-2022-21221

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21221

Release Date: 2022-03-17

Fix Resolution: v1.34.0