Full Path Disclosure #771
Description
Full Path Disclosure
Severity: Medium Discovered: 08 of November-2025, 09:35 PM UTC
CWE ID
CWE-200
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
Webroot files and directories are exposed to the attacker. This information can be used to further exploit the system using attack vectors such as Local File Inclusion (LFI) and Directory Traversal. It can lead to the disclosure of sensitive information such as configuration files, source code, and other sensitive information.
Possible exposure
Read Application Data; Access to Privileged Information
Remediation suggestions
Ensure that the application does not expose full path information to the attacker. This can be achieved by configuring exception handling to display generic error messages to the user and logging detailed error messages to the server logs.
Request
GET http://docker:3000/api/file?path=..%25255c%2Fproducts%2Fcrystals%2Famethyst.jpg&type=image%2Fjpg HTTP/1.1
Cookie: bc-calls-counter=1762637695017; connect.sid=N1dBMm_Orzc2ruDFdTuuUEP0K6j3Vawi.gxDxVJGH5HA2WgYToEKG5e7OV9rl%2BDvMvZemcz5E97I
accept: image/jpg
Connection: close
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.7258.154 Safari/537.36Response
HTTP/1.1 500
date: Sat, 08 Nov 2025 21:35:03 GMT
Connection: close
Set-Cookie: connect.sid=N1dBMm_Orzc2ruDFdTuuUEP0K6j3Vawi.gxDxVJGH5HA2WgYToEKG5e7OV9rl%2BDvMvZemcz5E97I; domain=docker; path=/
content-type: application/json; charset=utf-8
Cache-Control: public, max-age=99999
content-length: 107
{"error":"ENOENT: no such file or directory, access '/usr/src/app/..%255c/products/crystals/amethyst.jpg'"}