{"id":"CVE-2022-25298","details":"This affects the package sprinfall/webcc before 0.3.0. It is possible to traverse directories to fetch arbitrary files from the server.","modified":"2026-04-11T22:01:34.532481Z","published":"2022-02-18T13:15:08.320Z","related":["SNYK-UNMANAGED-SPRINFALLWEBCC-2404182"],"references":[{"type":"FIX","url":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-UNMANAGED-SPRINFALLWEBCC-2404182"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sprinfall/webcc","events":[{"introduced":"0"},{"fixed":"2aaf7a7bde615895ff8db1054941bbc84e319e3b"},{"fixed":"55a45fd5039061d5cc62e9f1b9d1f7e97a15143f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.3.0"}]}}],"versions":["async_api_v1","client_api_v1","v0.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25298.json","vanir_signatures":[{"digest":{"function_hash":"209764351027561823075044685368359549177","length":665},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-0404ef35","deprecated":false,"signature_type":"Function","target":{"function":"n","file":"examples/url_unicode.cc"}},{"digest":{"function_hash":"312081623632835898470928799324631305337","length":382},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-1244c280","deprecated":false,"signature_type":"Function","target":{"function":"Server::MatchViewOrStatic","file":"webcc/server.cc"}},{"digest":{"function_hash":"85521697464798701772126743718406114315","length":662},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-1259186f","deprecated":false,"signature_type":"Function","target":{"function":"Server::ServeStatic","file":"webcc/server.cc"}},{"digest":{"threshold":0.9,"line_hashes":["337070276976860011780981356373153611775","312593409730098730003190439687294709086","50006080317939652366241965993104352055","267486620321857844214778235924477794657","57184117530695825216670884483549997805","87930462855808385685204893044177078406"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-15e2f12c","deprecated":false,"signature_type":"Line","target":{"file":"webcc/fs.h"}},{"digest":{"threshold":0.9,"line_hashes":["290606343398373025952330883896741875098","200805050752798983012963292971654241109","323708873417034108846736782256109956203","71557866335459239318480778548827124684","72629263762330021924890055387105048473","132320536535541647307175735160495698645","226897291724248665309321113157722285692","292061548656499089018974348893398253651","68688032460077003319454442566347943326"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-24f4902d","deprecated":false,"signature_type":"Line","target":{"file":"webcc/request_parser.cc"}},{"digest":{"threshold":0.9,"line_hashes":["193931890562184354338991092880318949547","28140047615956051509957704457637475430","213874678742671343064244019692472408590","170566773642895328570601732565627421196","38060710268189932949635039934944731791"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-26c0a7e5","deprecated":false,"signature_type":"Line","target":{"file":"webcc/utility.cc"}},{"digest":{"threshold":0.9,"line_hashes":["207136994505653448630064921609939258684","286091479044070887243821564434965596832","102434382718907113699419346099319674750","205462243383542657189654576429062471156","75908479845428932686685921307196453308","28161754718219855565900635574446670173","199194338403112166995367248579973967657","169436717563295289800512901118240475506","283021988003235358677696042430725229421","226480008383515528994567346211536781696","309737168529386819074966960434552244190","135145902480345144909730921189978381139","135610710356832396514278964672186071363","33460645319280579341696935231676357144","15898866447855226195593666961637163167","15503436421061366384170419274736384276","322810388662923413925827740546833725983","314927318177989172362509853220384392434","123123915543594158582498144482796422730","301949225236355682793111694509173599097","90924405869254038495951249565435034526","187571352338714726552982623947746030070","33825705900672023475772344267845296133","184461265033841882247939761588923037945","66711585446251522567121973277312565340","63023319149774050960125992398873200987","280237897037521499749255815628871809892","290141419745033287984893756651466270264","48110365625644944079296259321469621899","67535022182241884767639083142677205761","7753526286361479842305893056809228797","196601392190995898561613557549204693221","187177697818237249069955337846555618965","23874523489470094173908526343924884769","27754406826737382381543947039271535926","127041989671248416385291561238303342674","39996246570181854172637216850859769681","293205029928031472673358122035017455056","297165867299678531858014686731106920682","261469216600897354021068321043130507706","304177866006496313791064458206857971410","189543803706424843991176778427417619235","163377481442290905631274622226081427698"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-33fd3c78","deprecated":false,"signature_type":"Line","target":{"file":"webcc/url.cc"}},{"digest":{"function_hash":"103040177401849473046821616428790832821","length":568},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-3b9bd6ae","deprecated":false,"signature_type":"Function","target":{"function":"WC2MB","file":"examples/encoding.cc"}},{"digest":{"threshold":0.9,"line_hashes":["256681628302510423710837803674133067738","80564845439269781686948382236868136550","249164422134812893934276663658266621791","253431764593531272467226349056478656474","250071215889501815262790006468516729661","258996162039861696990155044760857239591","196251232089244571673978842747727297299","307894022636631632283278368204213681773"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-57e4c224","deprecated":false,"signature_type":"Line","target":{"file":"webcc/server.h"}},{"digest":{"function_hash":"173863512933207710238818431400648033972","length":412},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-6017c213","deprecated":false,"signature_type":"Function","target":{"function":"MB2WC","file":"examples/encoding.cc"}},{"digest":{"threshold":0.9,"line_hashes":["221226486965166060928801927155214353088","158408606734445625391989173209787512398","3591484389077250588483643429610676626","278106122303890263250208844218022680611","158305950175328578412153962217610061464","175389870079596964664643112438218966618","182964659649565280187939228849846822927","150778998731574979938617329010518567100","52753164779034694561345967612844285935","10036211203639915663634688163245053769","289796775781920350397169686178825490990","232249953777989160217125979950690580414","300523675560561272804032255293608662137","110944023896628831326483190577719291737","306461820391000299348781715848187143899","58340258269519684163153344011430227832","302054508607819593565513326082126517236","287765993178069454470360618095780431377","209291580977837948990613690307169905359","160665910466025775083548724680204950937","105337040525135509436230083124143182302","149144431531265832714245043314004004078","152456857666487691610276710656855967676","87243532374813051832000231774063723998","97849226057746683543690043357324491846","7377582401259305201469020306639181683","15271005187802690931581982435000182306","144498740620965206021547494703763496862","41675839680243988076255950281284985325","193255343513910556690260337391312484400","154095679773034157425021288996658060121","5088145860282261493502060877897775266","284562712346448735871667866926525272122","72188261689711726943806878145663647936","189496303540889758721343792953014868111","205527549184846475124475429257869584709"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-63e0c9a8","deprecated":false,"signature_type":"Line","target":{"file":"examples/encoding.cc"}},{"digest":{"function_hash":"197378706662817778520442368267554598147","length":618},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-6bd643ed","deprecated":false,"signature_type":"Function","target":{"function":"Router::MatchView","file":"webcc/router.cc"}},{"digest":{"threshold":0.9,"line_hashes":["271713873764929613635454616095651903292","88270624434501699163358168870931763258","178324849915722971896862281766190289689","312093647672470791110435146812163807064"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-70c37c64","deprecated":false,"signature_type":"Line","target":{"file":"webcc/router.h"}},{"digest":{"threshold":0.9,"line_hashes":["73371919487326243508385873926060646791","155366455877703271323475618871219231774","276551626376177445972617301248210708097"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-864aab78","deprecated":false,"signature_type":"Line","target":{"file":"webcc/string.h"}},{"digest":{"function_hash":"330163544382999859490632131139003124774","length":505},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-89e09ddf","deprecated":false,"signature_type":"Function","target":{"function":"UrlQuery::UrlQuery","file":"webcc/url.cc"}},{"digest":{"threshold":0.9,"line_hashes":["167413244136489452743928897453852332224","284397429817839312352936614665432289481","50156378111005542917111591793289818462","232118194924191527515084342618833492414"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-8f9416c6","deprecated":false,"signature_type":"Line","target":{"file":"webcc/body.cc"}},{"digest":{"threshold":0.9,"line_hashes":["204033263404007465126661836338548007709","126240667688318192751746529781315543183","257189600210853903092975594100374454374"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-9077a351","deprecated":false,"signature_type":"Line","target":{"file":"webcc/url.h"}},{"digest":{"threshold":0.9,"line_hashes":["316113062740540625276292720384083357452","28709587443263399503172661399415549764","40917913873727570496467714438826808654"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-9b55229b","deprecated":false,"signature_type":"Line","target":{"file":"webcc/utility.h"}},{"digest":{"threshold":0.9,"line_hashes":["142890065455913350389232836228507308560","110437410716981405633574310898854120205"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-9fdd3397","deprecated":false,"signature_type":"Line","target":{"file":"examples/encoding.h"}},{"digest":{"function_hash":"180214564468253310559103961307142692729","length":125},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-a73546e7","deprecated":false,"signature_type":"Function","target":{"function":"DecodeUnsafe","file":"webcc/url.cc"}},{"digest":{"threshold":0.9,"line_hashes":["319683736036796326393892993674943006719","32092708430534021952812730471415585836","157495644537377052291373635505420169597","154976489993501431691272259649801925578","123669216931562830847271229370269947570","165016064065710134105143581821969704200","117442903858438272753604173467603793829","69279501883071376361872314246159524888","41571510329277769768095925004539432366","64254921304249101125027265305670919964","155655200489623204124393816402887629355","4341001129206987344655144783414794050","323418244766792193253409088408325697724","199463034061552816714050797553609669086","247814127976646260885376196136628851725","78936824816893006561827550619075391512","304051817245806813578998241093053439982","60824798435802016308776977706871159060","185792819116132997857294510760717185411","48433446389314061574732559429104930764","224446463558308502080146878487976071717","110325602661073028748971364918411464640","92709224527249014411472692040310419942"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-b7023ebe","deprecated":false,"signature_type":"Line","target":{"file":"webcc/server.cc"}},{"digest":{"threshold":0.9,"line_hashes":["80812708366938070270126227889364653667","188379183127063970502152498188605047947","53104219240825329774974339058337671389","120181264300878147896016778924974391998","281406739016004571612927550031063339082","284325826909774401765001066386548657971","174668287121057428554844732105357290977","259035701126881970290718538415515302589","38937096689262701894284103590492086070","16512867898815025502420156345275120237","272314602856204110083075973702721320449","148483185969055844956387124694146257148","229098828549010318661760131649701189292","173298473969967454020327226205798343580","138710940910934388285156123187773072669","226059425269144761518756525633602077629","164986608644501618834623652344513594196","18221376329536960993817242961103054045"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-bbe3a6fe","deprecated":false,"signature_type":"Line","target":{"file":"examples/url_unicode.cc"}},{"digest":{"function_hash":"244476712584494846903930224443511007183","length":146},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-be32042e","deprecated":false,"signature_type":"Function","target":{"function":"FileBody::Dump","file":"webcc/body.cc"}},{"digest":{"function_hash":"314157953382572083268794282680620632633","length":302},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-c8afd7a3","deprecated":false,"signature_type":"Function","target":{"function":"RequestParser::OnHeadersEnd","file":"webcc/request_parser.cc"}},{"digest":{"function_hash":"87794637938801127700853295202273550002","length":575},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-d9e0f693","deprecated":false,"signature_type":"Function","target":{"function":"Decode","file":"webcc/url.cc"}},{"digest":{"function_hash":"167368053349261346903743171490551616436","length":204},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-e2e20739","deprecated":false,"signature_type":"Function","target":{"function":"Server::Server","file":"webcc/server.cc"}},{"digest":{"threshold":0.9,"line_hashes":["53443735956303315356081239660140457895","71177313363585878020507549163961560004","229926343697114241560750569180440954693","323075165688110283180455729341333675239"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-e707d65c","deprecated":false,"signature_type":"Line","target":{"file":"webcc/string.cc"}},{"digest":{"threshold":0.9,"line_hashes":["70011343197455881468007477687818008883","123201790941687108353969988720066555425","153031976467305995533160813233006697768","145637909530261550029271956077177104420","32838057633135689437501338784245987601","6974426018743023221447447849306515416","72015421651199297644807456654957997970","131608775492724630375119832855560269443","321393998205257420944557953288365493507","188775611527217415162507031782246868804","131457125797030037109369509656853133797","330034671132665793602149653223436379157","139200066005686268684049831537336400686"]},"source":"https://github.com/sprinfall/webcc/commit/55a45fd5039061d5cc62e9f1b9d1f7e97a15143f","signature_version":"v1","id":"CVE-2022-25298-e93490e0","deprecated":false,"signature_type":"Line","target":{"file":"webcc/router.cc"}}],"vanir_signatures_modified":"2026-04-11T22:01:34Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}