BestHub
search
Sign in
Information Security 3 min read

Path Traversal Vulnerability in Go net/url (CVE-2022-32190)

The Go net/url package contains a path traversal flaw (CVE-2022-32190) where JoinPath fails to strip "../" segments, allowing attackers to access sensitive files, affecting versions prior to 1.18.6 and 1.19.1, and can be mitigated by upgrading to the patched releases.

Laravel Tech Community
Laravel Tech Community
Laravel Tech Community
Path Traversal Vulnerability in Go net/url (CVE-2022-32190)

Vulnerability Description

The Go language component net/url implements URL parsing and query escaping. A path traversal vulnerability exists in net/url because the JoinPath function does not remove "../" elements from appended relative paths, enabling attackers to read arbitrary files on the system. A proof‑of‑concept (PoC) for this issue is already available.

Vulnerability Details

Vulnerability Name

Go net/url Path Traversal Vulnerability

Vulnerability Type

Path Traversal

Discovery Date

2022/09/13

Impact Scope

Wide

MPS ID

MPS-2022-17132

CVE ID

CVE-2022-32190

CNVD ID

-

Affected Versions

net/url versions [1.19, 1.19.1)

net/url versions [1, 1.18.6)

Mitigation

Upgrade Go to version 1.18.6, 1.19.1, or any later release that includes the fix.

Goinformation securityvulnerabilityCVE-2022-32190net/urlPath Traversal
Laravel Tech Community
Written by

Laravel Tech Community

Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment