Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory - arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8.
AnalysisAI
Path traversal in xyproto's Algernon web server prior to 1.17.8 lets unauthenticated remote attackers escape the document root via a crafted Host header when the server runs with --domain or --letsencrypt. Beyond arbitrary file read and directory listing, any reachable .lua file in the parent directory will be executed server-side, escalating disclosure into code execution. No public exploit is identified at time of analysis, but SSVC marks the issue as automatable with PoC and EPSS sits at the 20th percentile (0.07%).
Technical ContextAI
Algernon is a self-contained Go-based web server (CPE cpe:2.3:a:xyproto:algernon) that supports static content, Markdown, and embedded Lua scripting. When --domain is enabled (also implicitly via --letsencrypt at engine/flags.go:372), the request router constructs the on-disk path by passing the client-supplied Host header straight into filepath.Join with the configured --dir, with no normalization or containment check. filepath.Join cleans '..' segments but does not constrain the result to the base directory, which is the textbook CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) pattern. Because Algernon also resolves and executes .lua files it finds while serving, the same primitive that yields arbitrary file read becomes server-side script execution whenever the traversed directory contains Lua content.
RemediationAI
Vendor-released patch: upgrade to Algernon 1.17.8 or later, per the GHSA-jc3j-x6pg-4hmv advisory at https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv. If immediate upgrade is not possible, run Algernon without --domain and without --letsencrypt so the vulnerable Host-header-based path resolution is bypassed - note this disables virtual-host routing and automatic TLS certificate issuance, so you will need to front Algernon with a reverse proxy (nginx, Caddy) that terminates TLS and supplies a fixed, validated Host. As an additional compensating control, place Algernon's --dir parent directory off any path that contains .lua files, and configure the upstream proxy to reject or normalize Host headers containing '..' or path-separator characters, which closes the specific traversal vector with no impact on legitimate clients.
All versions of the package github.com/xyproto/algernon/engine; all versions of the package github.com/xyproto/algernon/
Path traversal in Algernon web server versions prior to 1.17.6 allows remote unauthenticated attackers to write uploaded
Denial of service in Algernon web server versions prior to 1.17.6 stems from a race condition in the Lua handler engine
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31881
GHSA-jc3j-x6pg-4hmv