{"id":"CVE-2022-23532","summary":"neo4j-apoc-procedures is vulnerable to path traversal","details":"APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially break out of the expected directory. The vulnerability is such that files could only be created but not overwritten. For the vulnerability to be exploited, an attacker would need access to execute an arbitrary query, either by having access to an authenticated Neo4j client, or a Cypher injection vulnerability in an application. The minimum versions containing patch for this vulnerability are 4.4.0.12 and 4.3.0.12 and 5.3.1. As a workaround, you can control the allowlist of the procedures that can be used in your system, and/or turn off local file access by setting apoc.export.file.enabled=false.","aliases":["GHSA-5v8v-gwmw-qw97"],"modified":"2026-04-11T22:13:39.309116Z","published":"2023-01-14T00:29:27.365Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23532.json","cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23532.json"},{"type":"ADVISORY","url":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/security/advisories/GHSA-5v8v-gwmw-qw97"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23532"},{"type":"FIX","url":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/neo4j-contrib/neo4j-apoc-procedures","events":[{"introduced":"0"},{"fixed":"e30dcfbdad3ee4b741fb0f99eb2b55900142a727"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.3.0.12"}]}},{"type":"GIT","repo":"https://github.com/neo4j-contrib/neo4j-apoc-procedures","events":[{"introduced":"1e6de8e88876b526f84b677e4e6859f6f5b27c95"},{"fixed":"01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"}],"database_specific":{"versions":[{"introduced":"4.4.0.0"},{"fixed":"4.4.0.12"}]}}],"versions":["1.0.0","1.0.0-RC1","1.1.0","3.0.4.1","3.1.0.1","3.1.0.2","3.1.0.3","3.1.0.4","3.1.2.5","3.1.3.6","3.2.0.3","3.2.0.4","3.3.0.1","3.3.0.2","3.4.0.1","3.4.0.2","3.4.0.3","3.5.0.0","3.5.0.1","3.5.0.2","3.5.0.3","3.5.0.4","4.0.0-rc01","4.0.0.0","4.0.0.1","4.0.0.2","4.0.0.3","4.0.0.4","4.0.0.5","4.1.0-rc01","4.1.0.0","4.2.0-rc01","4.3.0-rc01","4.3.0-rc03","4.3.0-rc2","4.3.0.0","4.3.0.1","4.3.0.10","4.3.0.11","4.3.0.2","4.3.0.3","4.3.0.4","4.3.0.5","4.3.0.6","4.3.0.7","4.3.0.8","4.3.0.9","4.4.0.0","4.4.0.1","4.4.0.10","4.4.0.11","4.4.0.2","4.4.0.3","4.4.0.4","4.4.0.5","4.4.0.6","4.4.0.7","4.4.0.8","4.4.0.9"],"database_specific":{"vanir_signatures_modified":"2026-04-11T22:13:39Z","vanir_signatures":[{"signature_version":"v1","id":"CVE-2022-23532-0d081c80","deprecated":false,"signature_type":"Function","digest":{"length":113,"function_hash":"125603981907569865654376026950174603736"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"before"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-1a58d58c","deprecated":false,"signature_type":"Function","digest":{"length":493,"function_hash":"331146373502642871023288236005918773036"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"testIllegalExternalFSAccessExportCypherSchema"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-258013bf","deprecated":false,"signature_type":"Function","digest":{"length":513,"function_hash":"51243404849253300005958827813812241718"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"testIllegalExternalFSAccessExport"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-3456c1bf","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["228696445642692742056248745254157019675","237126454435447301373036058439697399819","56384322106685698032703438205582389575","249785202943595926286073137641637073305","108438418440213486138681248968095209686","121083085338307741706588771918610388546","230669054361424972402008138498596704076","144850101397770442656910588161289177718","311138120982836295692335356984652609393","9063828842068165587570622217922886600","310938742158442666879462905878516360672","297462143656649105801883980381315892989","278800604900287908997659655343210930405","224150053262586997513158230621530908542","328821932072742563023872540801478558584","42934235177212470162596445924131291160","67575176623690425660354344460452020294","126124724329177935767546522178575657804","307713925426529309816415526731601904641","316970779047674352469054267181752758579","297798801053589736594402753675520130389","180108872178308418664097868956849103142","39570659441744639231408489133403306038","187581959474017227096025168908480758589","146919715902212813032985945401881853157","338430668754647710640235437147049172777","154430794130870563939753491563272220705","171087413127019683467740972842782106257","230838980591232679079019057255735184461","143049384383252422882035718015268031287","95671105534633914134235097238970667089","300221057545632517166923658115326165495","94065512171721444354734529130807818531","219164533724680653900239413987807040289","212317242353248121529336693577739405863","281720325568596989910124568836980081258","218067308975180249193974780284426771635","129480814479799428862614576667587820","81553907837153698912251075909507039198","268769538768810312088783226987062980553","40111872216769316161300180191456563143","199423281510751146144165927835096165187","109570564802192836801630025890295947069","143051978700686101906772650481306841731","310674980419252880676961051763257500527","35505177969405184917966537937641496125","281720325568596989910124568836980081258","56079175371047265776468270526704963146","15818728939083648980733130783226718639","311551896917383399259119672233980576145","302446397676523583298829652911839762545","189799252347574416785200507019485734996","221835405058128530890787981464264898481","96317390317579089307191351306508598895","289400658115889902378056500650842657648","114181047077667019368919672466053348313","72302066766845700653279904488222793945","312855055144450379993876387350625459065","138599781398894094565945876461434933735","260929842747220122159688155558981293084","127581155355758329357831155972107405093","305553231410318114955216386671693637814","221048039385668193406677045540216423093","218067308975180249193974780284426771635","129480814479799428862614576667587820","81553907837153698912251075909507039198","299543172711189079598323079295395967886","46491315635720102608213416791106440202","240582334678524031395788255381573130573","259647019402030349451695775114183332478","182855971743082333869327090140069139271","223576541246793499367115954544050808982","297447172436346944600008200253639162201","77117275757361377945127525551264414101","56079175371047265776468270526704963146","15818728939083648980733130783226718639","311551896917383399259119672233980576145","302446397676523583298829652911839762545","189799252347574416785200507019485734996","221835405058128530890787981464264898481","303309462969419743235686602683026967399"],"threshold":0.9},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-4dcf2aed","deprecated":false,"signature_type":"Function","digest":{"length":263,"function_hash":"284001039641254320126845350184018080322"},"target":{"file":"core/src/main/java/apoc/util/FileUtils.java","function":"pathStartsWithOther"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-4df232cd","deprecated":false,"signature_type":"Function","digest":{"length":132,"function_hash":"110056529070005092714950464435496921578"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"setUp"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-590ddaf7","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["32163557282538032961987188898701040024","67905414060046092217653023143122207509","189523069977727151526648977241492946852","17110582667471567072885501945729293016","218214667566303000638984485040658349819","185636094890230885986079503691434086295","332530751360276222814570377252930005465","204859862963733976443673468097410831370","165376998638511950284638186569305211054","151544603768681670081871197764960114602","200424495653110746519461183304050476473"],"threshold":0.9},"target":{"file":"core/src/main/java/apoc/util/FileUtils.java"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-67228d0a","deprecated":false,"signature_type":"Function","digest":{"length":317,"function_hash":"59585330581707235520374325695537515808"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"testIllegalFSAccessExport"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-67b8daee","deprecated":false,"signature_type":"Function","digest":{"length":263,"function_hash":"284001039641254320126845350184018080322"},"target":{"file":"core/src/main/java/apoc/util/FileUtils.java","function":"pathStartsWithOther"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-736e7340","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["239693201757504816575483908818576769194","188151663685397805826354933676899658025","63764959913668833150386784167511227492","314839661301975344694721963469622469600","67575176623690425660354344460452020294"],"threshold":0.9},"target":{"file":"core/src/test/java/apoc/export/csv/ExportCsvTest.java"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-74ec5152","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["239693201757504816575483908818576769194","188151663685397805826354933676899658025","63764959913668833150386784167511227492","314839661301975344694721963469622469600","67575176623690425660354344460452020294"],"threshold":0.9},"target":{"file":"core/src/test/java/apoc/export/csv/ExportCsvTest.java"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-8054708e","deprecated":false,"signature_type":"Function","digest":{"length":296,"function_hash":"82626091029078126676784784822675223315"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"testIllegalFSAccessExportCypherSchema"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-a225ea55","deprecated":false,"signature_type":"Function","digest":{"length":493,"function_hash":"331146373502642871023288236005918773036"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"testIllegalExternalFSAccessExportCypherSchema"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-a5df0a45","deprecated":false,"signature_type":"Function","digest":{"length":513,"function_hash":"51243404849253300005958827813812241718"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"testIllegalExternalFSAccessExport"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-a76e3480","deprecated":false,"signature_type":"Function","digest":{"length":113,"function_hash":"125603981907569865654376026950174603736"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"after"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-aa9999e2","deprecated":false,"signature_type":"Function","digest":{"length":448,"function_hash":"17412666049559948970567866197675854082"},"target":{"file":"core/src/main/java/apoc/util/FileUtils.java","function":"getPath"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-aead2c74","deprecated":false,"signature_type":"Function","digest":{"length":132,"function_hash":"110056529070005092714950464435496921578"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"setUp"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-b02e6f80","deprecated":false,"signature_type":"Function","digest":{"length":296,"function_hash":"82626091029078126676784784822675223315"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"testIllegalFSAccessExportCypherSchema"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-b6aea6e2","deprecated":false,"signature_type":"Function","digest":{"length":448,"function_hash":"17412666049559948970567866197675854082"},"target":{"file":"core/src/main/java/apoc/util/FileUtils.java","function":"getPath"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-cb64c4da","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["32163557282538032961987188898701040024","67905414060046092217653023143122207509","189523069977727151526648977241492946852","17110582667471567072885501945729293016","218214667566303000638984485040658349819","185636094890230885986079503691434086295","332530751360276222814570377252930005465","204859862963733976443673468097410831370","165376998638511950284638186569305211054","151544603768681670081871197764960114602","200424495653110746519461183304050476473"],"threshold":0.9},"target":{"file":"core/src/main/java/apoc/util/FileUtils.java"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-d159fb3d","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["228696445642692742056248745254157019675","237126454435447301373036058439697399819","56384322106685698032703438205582389575","249785202943595926286073137641637073305","108438418440213486138681248968095209686","121083085338307741706588771918610388546","230669054361424972402008138498596704076","144850101397770442656910588161289177718","311138120982836295692335356984652609393","9063828842068165587570622217922886600","310938742158442666879462905878516360672","297462143656649105801883980381315892989","278800604900287908997659655343210930405","224150053262586997513158230621530908542","328821932072742563023872540801478558584","42934235177212470162596445924131291160","67575176623690425660354344460452020294","126124724329177935767546522178575657804","307713925426529309816415526731601904641","316970779047674352469054267181752758579","297798801053589736594402753675520130389","180108872178308418664097868956849103142","39570659441744639231408489133403306038","187581959474017227096025168908480758589","146919715902212813032985945401881853157","338430668754647710640235437147049172777","154430794130870563939753491563272220705","171087413127019683467740972842782106257","230838980591232679079019057255735184461","143049384383252422882035718015268031287","95671105534633914134235097238970667089","300221057545632517166923658115326165495","94065512171721444354734529130807818531","219164533724680653900239413987807040289","212317242353248121529336693577739405863","281720325568596989910124568836980081258","218067308975180249193974780284426771635","129480814479799428862614576667587820","81553907837153698912251075909507039198","268769538768810312088783226987062980553","40111872216769316161300180191456563143","199423281510751146144165927835096165187","109570564802192836801630025890295947069","143051978700686101906772650481306841731","310674980419252880676961051763257500527","35505177969405184917966537937641496125","281720325568596989910124568836980081258","56079175371047265776468270526704963146","15818728939083648980733130783226718639","311551896917383399259119672233980576145","302446397676523583298829652911839762545","189799252347574416785200507019485734996","221835405058128530890787981464264898481","96317390317579089307191351306508598895","289400658115889902378056500650842657648","114181047077667019368919672466053348313","72302066766845700653279904488222793945","312855055144450379993876387350625459065","138599781398894094565945876461434933735","260929842747220122159688155558981293084","127581155355758329357831155972107405093","305553231410318114955216386671693637814","221048039385668193406677045540216423093","218067308975180249193974780284426771635","129480814479799428862614576667587820","81553907837153698912251075909507039198","299543172711189079598323079295395967886","46491315635720102608213416791106440202","240582334678524031395788255381573130573","259647019402030349451695775114183332478","182855971743082333869327090140069139271","223576541246793499367115954544050808982","297447172436346944600008200253639162201","77117275757361377945127525551264414101","56079175371047265776468270526704963146","15818728939083648980733130783226718639","311551896917383399259119672233980576145","302446397676523583298829652911839762545","189799252347574416785200507019485734996","221835405058128530890787981464264898481","303309462969419743235686602683026967399"],"threshold":0.9},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"},{"signature_version":"v1","id":"CVE-2022-23532-db95c74b","deprecated":false,"signature_type":"Function","digest":{"length":113,"function_hash":"125603981907569865654376026950174603736"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"after"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-f09426da","deprecated":false,"signature_type":"Function","digest":{"length":113,"function_hash":"125603981907569865654376026950174603736"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"before"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/e30dcfbdad3ee4b741fb0f99eb2b55900142a727"},{"signature_version":"v1","id":"CVE-2022-23532-fd14b7a5","deprecated":false,"signature_type":"Function","digest":{"length":317,"function_hash":"59585330581707235520374325695537515808"},"target":{"file":"core/src/test/java/apoc/export/ExportCoreSecurityTest.java","function":"testIllegalFSAccessExport"},"source":"https://github.com/neo4j-contrib/neo4j-apoc-procedures/commit/01e63ed2d187cd2a8aa1d78bf831ef0fdd69b522"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23532.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L"}]}