{"id":"CVE-2022-25299","details":"This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.","modified":"2026-04-11T22:01:31.770260Z","published":"2022-02-18T13:15:08.383Z","related":["SNYK-UNMANAGED-CESANTAMONGOOSE-2404180"],"references":[{"type":"FIX","url":"https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-UNMANAGED-CESANTAMONGOOSE-2404180"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cesanta/mongoose","events":[{"introduced":"0"},{"fixed":"1b82aa02aa3d6fecfc23ed0a94c6917f139de1ad"},{"fixed":"c65c8fdaaa257e0487ab0aaae9e8f6b439335945"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.6"}]}}],"versions":["3.2","3.3","3.4","3.5","3.6","3.7","3.8","4.0","4.1","5.0","5.1","5.2","5.3","5.4","5.5","5.5_20140120","5.6","6.0","6.1","6.10","6.11","6.12","6.13","6.14","6.15","6.16","6.17","6.18","6.2","6.3","6.4","6.5","6.6","6.7","6.9","7.0","7.1","7.2","7.3","7.4","7.5"],"database_specific":{"vanir_signatures_modified":"2026-04-11T22:01:31Z","vanir_signatures":[{"id":"CVE-2022-25299-384fc369","deprecated":false,"target":{"file":"mongoose.c"},"signature_type":"Line","digest":{"line_hashes":["242706033282067176875032425508032888864","99522183213085504313786174125419876320","317607507457042687038877028356137111401","333692189807639914897787362839627623813","233865274326001107318949442572987913309","221254706629978215518853743110690491273","253319027323112190251501714670312356228","216538699964804043248640641326933649494","244608069674255244487288380326870337055","260246318888716113391930882121398533345","297272436952712233725021059878684268872","25363224782478370495762222898064946957","163909099563252246648925565846780879728","293169514882191368702607043720044341984","102129296967832871668598717709511254046","112819087028156993108012246646245345603","101821142596263531984442375264151164907","261717293051684845709397823176983799782","228130189183380133144193134927040524517","174402573558153142600198445885969578150","316634947057275655371304392957716982165","298331221646344776840071252632452039089","51519848797132890115430913520659695192","94585454980982654502483191906239126992","81666697063671350821902100494798519433","23964437094381691308194720730542555578","305407463024304548130196606906410878762","38414022540808156823982743711661729470","62657882478922673139893870355193611787","88850435843307456768886303461010071700","106490766253083496260963657830660064020","291678104855126962159420652916814432635","88337735380769454933221982902538839929"],"threshold":0.9},"source":"https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945","signature_version":"v1"},{"id":"CVE-2022-25299-d3c83efa","deprecated":false,"target":{"file":"test/unit_test.c","function":"test_http_server"},"signature_type":"Function","digest":{"length":6870,"function_hash":"299142579153512652660395765520501226188"},"source":"https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945","signature_version":"v1"},{"id":"CVE-2022-25299-da9c7b66","deprecated":false,"target":{"file":"src/http.c"},"signature_type":"Line","digest":{"line_hashes":["242706033282067176875032425508032888864","99522183213085504313786174125419876320","317607507457042687038877028356137111401","333692189807639914897787362839627623813","233865274326001107318949442572987913309","221254706629978215518853743110690491273","253319027323112190251501714670312356228","216538699964804043248640641326933649494","244608069674255244487288380326870337055","260246318888716113391930882121398533345","297272436952712233725021059878684268872","25363224782478370495762222898064946957","163909099563252246648925565846780879728","293169514882191368702607043720044341984","102129296967832871668598717709511254046","112819087028156993108012246646245345603","101821142596263531984442375264151164907","261717293051684845709397823176983799782","228130189183380133144193134927040524517","174402573558153142600198445885969578150","316634947057275655371304392957716982165","298331221646344776840071252632452039089","51519848797132890115430913520659695192","94585454980982654502483191906239126992","81666697063671350821902100494798519433","23964437094381691308194720730542555578","305407463024304548130196606906410878762","38414022540808156823982743711661729470","62657882478922673139893870355193611787","88850435843307456768886303461010071700","106490766253083496260963657830660064020","291678104855126962159420652916814432635","88337735380769454933221982902538839929"],"threshold":0.9},"source":"https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945","signature_version":"v1"},{"id":"CVE-2022-25299-e80b1150","deprecated":false,"target":{"file":"mongoose.c","function":"mg_http_upload"},"signature_type":"Function","digest":{"length":939,"function_hash":"94260302717059400505012761633974380900"},"source":"https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945","signature_version":"v1"},{"id":"CVE-2022-25299-f3a27d8f","deprecated":false,"target":{"file":"src/http.c","function":"mg_http_upload"},"signature_type":"Function","digest":{"length":939,"function_hash":"94260302717059400505012761633974380900"},"source":"https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25299.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}