Search
Search is not available in local development.
Run npx pagefind --site __site after building to enable it.
JLSEC-2026-612

Path traversal in the HTTP.jl static file server via separator/absolute path segments

JLSEC Published
Modified
Affected Packages
HTTP < 2.4.0
Aliases / Upstream
ANT-2026-VHDP7ANW

Description

The static file server decoded the request path, split it on /, and rejected only segments exactly equal to . or ... Because URL-decoding ran before the / split, an encoded backslash (%5c), a Windows drive specifier (C:\...), or a UNC prefix (\\host\share) survived inside a single segment and passed validation. On Windows, joinpath then honored \` as a separator and treated drive/UNC segments as absolute, discarding the configured document root. ### Impact A remote client could read files outside the served document root and, on Windows, trigger outbound SMB/NTLM authentication via UNC paths, by crafting encoded separator, drive, or UNC segments. ### Patches Fixed in HTTP.jl v2.4.0. A new platform-independent segment validator rejects any decoded segment that is./.., contains a path separator (/or`), contains a colon (drive specifier / alternate data stream), or is absolute; unsafe segments are mapped to a 400 response. A defense-in-depth containment backstop additionally requires the normalized joined path to remain within the normalized root.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.

References