Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.
AnalysisAI
Path traversal in Algernon web server versions prior to 1.17.6 allows remote unauthenticated attackers to write uploaded files outside the intended directory by supplying a directory parameter containing ../ sequences. The flaw in uploadedFileSaveIn() within lua/upload/upload.go fails to validate the joined path after filepath.Join(), so a value like ../../../tmp resolves to /tmp on the host. No public exploit identified at time of analysis, and EPSS is very low (0.05%), but CISA SSVC flags the issue as automatable with partial technical impact.
Technical ContextAI
Algernon is a self-contained pure-Go web server developed by xyproto that embeds a Lua scripting environment for dynamic content. The vulnerable code path is the Lua-exposed uploadedFileSaveIn() helper in lua/upload/upload.go, which constructs a destination path using Go's filepath.Join(). filepath.Join() canonicalizes ../ segments but does not constrain the result to a base directory - a well-known CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) pitfall in Go file-handling code. Because no boundary check (e.g. comparing the cleaned path against a trusted prefix or using filepath.Rel) is performed before writing, a caller-controlled directory argument can escape the web root entirely.
RemediationAI
Upgrade to Algernon 1.17.6 or later, which is the vendor-released patch that adds boundary validation after the filepath.Join() in uploadedFileSaveIn(); see the advisory at https://github.com/xyproto/algernon/security/advisories/GHSA-2j2c-pv62-mmcp. Until the upgrade is deployed, audit any Lua handlers that call uploadedFileSaveIn() and hard-code or sanitize the directory argument so it cannot be influenced by request data - rejecting inputs containing '..' or non-ASCII path separators, or computing filepath.Rel against the intended root and refusing results that begin with '..'. As a deployment-level compensating control, run the Algernon process under a dedicated unprivileged user with a restricted filesystem view (chroot, containers with read-only mounts, or systemd ProtectSystem/ReadOnlyPaths), accepting the trade-off that legitimate upload targets outside the web root will also be blocked.
All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/
Path traversal in xyproto's Algernon web server prior to 1.17.8 lets unauthenticated remote attackers escape the documen
Denial of service in Algernon web server versions prior to 1.17.6 stems from a race condition in the Lua handler engine
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31863