Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionGitHub Advisory
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.
AnalysisAI
Authorization bypass in scitokens-cpp library (all versions prior to 1.4.1) allows authenticated attackers to escape path-based scope restrictions via parent-directory traversal in token scope claims. The library incorrectly normalizes '..' components instead of rejecting them, enabling privilege escalation to access resources outside intended directories. EPSS data not provided, but the vulnerability is network-exploitable with low attack complexity (CVSS 8.3). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the fix commit is publicly documented.
Technical ContextAI
SciTokens is an authorization token framework used in scientific computing environments for fine-grained access control, particularly in distributed high-performance computing and data grid systems. The scitokens-cpp library (CPE: cpe:2.3:a:scitokens:scitokens-cpp) implements token validation and scope enforcement in C++. The vulnerability stems from CWE-23 (Relative Path Traversal) in the scope authorization logic. When validating path-based scope claims within tokens, the library performs path normalization that collapses parent-directory sequences ('..') rather than treating them as invalid input. This allows an attacker to craft a token with a scope like '/allowed/path/../../sensitive/' which normalizes to '/sensitive/', bypassing the intended '/allowed/path/' restriction. The flaw exists in the authorization check phase after token signature validation, meaning legitimate token holders can escalate their privileges beyond their assigned scope boundaries.
RemediationAI
Upgrade to scitokens-cpp version 1.4.1 or later, which addresses the path traversal vulnerability by properly rejecting parent-directory components in scope claims rather than normalizing them. The fix is documented in commit 7951ed809967d88c00c20de414b1ff74df8c3e08 available at https://github.com/scitokens/scitokens-cpp/commit/7951ed809967d88c00c20de414b1ff74df8c3e08. Organizations should inventory all systems using the scitokens-cpp library, prioritizing externally-accessible services and multi-tenant environments. As a temporary workaround pending upgrade, implement additional path validation at the application layer to reject tokens containing '..' sequences in scope claims, though this is defense-in-depth only and does not replace patching. Review audit logs for tokens with suspicious path patterns in scope claims to identify potential exploitation attempts. Consult the official GitHub security advisory at https://github.com/scitokens/scitokens-cpp/security/advisories/GHSA-rqcx-mc9w-pjxp for additional vendor guidance.
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17561