CVE-2026-42351
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration.
Patches
The issue has been patched in master branch and made available as part of the 0.23.3 release.
The commit/fix can be found in bf25b8695edbdd5476eeffc102b633d1d3e45f52.
Workarounds
Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
Analysis
Impact
A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration.
Patches
The issue has been patched in master branch and made available as part of the 0.23.3 release.
The commit/fix can be found in bf25b8695edbdd5476eeffc102b633d1d3e45f52.
Workarounds
Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f6pr-83pg-ghh6