{"url":"http://public2.vulnerablecode.io/api/packages/497914?format=json","purl":"pkg:maven/io.micronaut/micronaut-http-server-netty@2.0.0","type":"maven","namespace":"io.micronaut","name":"micronaut-http-server-netty","version":"2.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.8.3","latest_non_vulnerable_version":"3.8.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44637?format=json","vulnerability_id":"VCID-c32s-k5av-yqac","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in micronaut-core\nWith a basic configuration like\n\n```yaml\nrouter:\n  static-resources:\n    assets:\n      enabled: true\n      mapping: /.assets/public/**\n      paths: file:/home/lstrmiska/test/\n```\n\nit is possible to access any file from a filesystem, using \"/../../\" in URL, as Micronaut does not restrict file access to configured paths. \n\n**Repro Steps**\n- create a file test.txt in /home/lstrmiska\n- start micronaut\n- execute command\n`curl -v --path-as-is \"http://localhost:8080/.assets/public/../test.txt\"`\n\n\n### Impact\n\nMicronaut can potentially leak sensitive information.\n\nSee https://cwe.mitre.org/data/definitions/22.html\n\n### Patches\n\n```\ndiff --git a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java\nindex 2f5a91403..19d3b7f05 100644\n--- a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java\n+++ b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java\n@@ -69,6 +69,9 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader\n     @Override\n     public Optional<InputStream> getResourceAsStream(String path) {\n         Path filePath = getFilePath(normalize(path));\n+        if (pathOutsideBase(filePath)) {\n+            return Optional.empty();\n+        }\n         try {\n             return Optional.of(Files.newInputStream(filePath));\n         } catch (IOException e) {\n@@ -79,7 +82,7 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader\n     @Override\n     public Optional<URL> getResource(String path) {\n         Path filePath = getFilePath(normalize(path));\n-        if (Files.exists(filePath) && Files.isReadable(filePath) && !Files.isDirectory(filePath)) {\n+        if (!pathOutsideBase(filePath) && Files.exists(filePath) && Files.isReadable(filePath) && !Files.isDirectory(filePath)) {\n             try {\n                 URL url = filePath.toUri().toURL();\n                 return Optional.of(url);\n@@ -117,4 +120,15 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader\n     private Path getFilePath(String path) {\n         return baseDirPath.map(dir -> dir.resolve(path)).orElseGet(() -> Paths.get(path));\n     }\n+\n+    private boolean pathOutsideBase(Path path) {\n+        if (baseDirPath.isPresent()) {\n+            Path baseDir = baseDirPath.get();\n+            if (path.isAbsolute() == baseDir.isAbsolute()) {\n+                Path relativePath = baseDir.relativize(path);\n+                return relativePath.startsWith(\"..\");\n+            }\n+        }\n+        return false;\n+    }\n }\n-- \n\n```\n\n### Workarounds\n\n- do not use ** in mapping, use only * which exposes only flat structure of a directory not allowing traversal\n- run micronaut in chroot (linux only)\n\n### References\n\nSee https://cwe.mitre.org/data/definitions/22.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Github](https://github.com/micronaut-projects/micronaut-core/issues)\n* Email us at [info@micronaut.io](mailto:info@micronaut.io)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32769","reference_id":"","reference_type":"","scores":[{"value":"0.00436","scoring_system":"epss","scoring_elements":"0.63287","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32769"},{"reference_url":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11"},{"reference_url":"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-cjx7-399x-p2rj","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-cjx7-399x-p2rj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32769","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32769"},{"reference_url":"https://github.com/advisories/GHSA-cjx7-399x-p2rj","reference_id":"GHSA-cjx7-399x-p2rj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cjx7-399x-p2rj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78507?format=json","purl":"pkg:maven/io.micronaut/micronaut-http-server-netty@2.5.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hyxw-8y7d-g7dx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.micronaut/micronaut-http-server-netty@2.5.9"}],"aliases":["CVE-2021-32769","GHSA-cjx7-399x-p2rj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c32s-k5av-yqac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10552?format=json","vulnerability_id":"VCID-hyxw-8y7d-g7dx","summary":"Micronaut management endpoints vulnerable to drive-by localhost attack\n### Summary\nEnabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought.\n\n### Details\nA malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are [\"simple\"](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered.\n\n### Impact\nProduction environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-23639","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.1104","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-23639"},{"reference_url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T15:05:36Z/"}],"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests"},{"reference_url":"https://github.com/micronaut-projects/micronaut-core","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/micronaut-projects/micronaut-core"},{"reference_url":"https://github.com/micronaut-projects/micronaut-core/commit/01adb21e57137caaf7004313d2055c5a78b1f47b","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/micronaut-projects/micronaut-core/commit/01adb21e57137caaf7004313d2055c5a78b1f47b"},{"reference_url":"https://github.com/micronaut-projects/micronaut-core/pull/8642","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/micronaut-projects/micronaut-core/pull/8642"},{"reference_url":"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-22T15:05:36Z/"}],"url":"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23639","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23639"},{"reference_url":"https://github.com/advisories/GHSA-583g-g682-crxf","reference_id":"GHSA-583g-g682-crxf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-583g-g682-crxf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27311?format=json","purl":"pkg:maven/io.micronaut/micronaut-http-server-netty@3.8.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.micronaut/micronaut-http-server-netty@3.8.3"}],"aliases":["CVE-2024-23639","GHSA-583g-g682-crxf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hyxw-8y7d-g7dx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.micronaut/micronaut-http-server-netty@2.0.0"}