Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder's Clean handler (pkg/builder/builder.go:208) and the fetcher's Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder's shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.
AnalysisAI
Path traversal in Fission's SanitizeFilePath function (pkg/utils/utils.go) allows a low-privileged tenant to read or write files outside an intended safe directory on a shared Kubernetes volume. Versions prior to 1.25.0 validated directory confinement using strings.HasPrefix, which performs a purely lexical string comparison: a sibling path such as /packages-extra/evil incorrectly passes a check for the safe directory /packages because it satisfies the string prefix condition without a directory-separator boundary. The builder's Clean handler and the fetcher's Fetch and Upload handlers were all affected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Fission is a Kubernetes-native serverless framework (CPE: cpe:2.3:a:fission:fission:*:*:*:*:*:*:*:*) that uses shared volumes between its builder and fetcher components to stage function packages. The root cause is CWE-41 (Improper Resolution of Path Equivalence): the retired SanitizeFilePath helper called Go's strings.HasPrefix(path, safedir) to enforce directory confinement, but this is a string-level check that does not honor filesystem path semantics. Because strings.HasPrefix does not require the matched prefix to end at a path separator, any sibling directory whose name shares the safe directory's string prefix bypasses the check entirely. The fix, introduced in PRs #3445 and #3446, replaces all call sites with a family of os.OpenRoot-based helpers (RootJoin, RootStat, RootWriteFile, RootMkdirAll, RootRename) that confine every filesystem operation to an explicitly opened directory file descriptor, making escape structurally impossible rather than textually validated.
RemediationAI
Vendor-released patch: v1.25.0. Upgrade Fission to version 1.25.0 or later, available at https://github.com/fission/fission/releases/tag/v1.25.0. The fix eliminates the vulnerable SanitizeFilePath helper entirely, replacing it with os.OpenRoot-based wrappers (RootJoin, RootStat, RootWriteFile, RootMkdirAll, RootRename) that use Linux's openat-family syscalls to structurally confine all path operations. For deployments that cannot immediately upgrade, a compensating control is to enforce strict Kubernetes RBAC and admission policies that prevent tenants from creating arbitrary directories or PersistentVolumeClaims on shared volumes used by the builder and fetcher - this directly removes the attacker's prerequisite of controlling a sibling directory. Note that this workaround requires careful policy scoping and does not fix the underlying code defect. Full remediation details are in PRs #3445 and #3446 at https://github.com/fission/fission/pull/3445 and https://github.com/fission/fission/pull/3446.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-41 – Improper Resolution of Path Equivalence
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36072