{"id":"CVE-2024-22050","details":"Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs.","aliases":["GHSA-85rf-xh54-whp3"],"modified":"2026-04-12T08:03:51.676716Z","published":"2024-01-04T21:15:10.100Z","related":["GHSA-85rf-xh54-whp3"],"references":[{"type":"ADVISORY","url":"https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3"},{"type":"FIX","url":"https://github.com/advisories/GHSA-85rf-xh54-whp3"},{"type":"FIX","url":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889"},{"type":"FIX","url":"https://vulncheck.com/advisories/vc-advisory-GHSA-85rf-xh54-whp3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/boazsegev/iodine","events":[{"introduced":"0"},{"last_affected":"71d4d6baf8feca7c78706497e220393d2cf6ab11"},{"fixed":"5558233fb7defda706b4f9c87c17759705949889"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.7.33"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.1.0","v0.1.1","v0.1.10","v0.1.11","v0.1.12","v0.1.13","v0.1.14","v0.1.15","v0.1.16","v0.1.17","v0.1.18","v0.1.19","v0.1.2","v0.1.20","v0.1.21","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.1.9","v0.2.0","v0.2.1","v0.2.10","v0.2.11","v0.2.12","v0.2.13","v0.2.14","v0.2.15","v0.2.16","v0.2.17","v0.2.2","v0.2.3","v0.2.4","v0.2.5","v0.2.6","v0.2.7","v0.2.8","v0.2.9","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.4.0","v0.4.1","v0.4.10","v0.4.11","v0.4.12","v0.4.14","v0.4.15","v0.4.16","v0.4.17","v0.4.18","v0.4.19","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v0.4.8","v0.4.9","v0.5.0","v0.5.1","v0.5.2","v0.6.0","v0.6.1","v0.6.2","v0.6.3","v0.6.4","v0.6.5","v0.7.0","v0.7.1","v0.7.10","v0.7.11","v0.7.12","v0.7.13","v0.7.14","v0.7.15","v0.7.16","v0.7.17","v0.7.18","v0.7.19","v0.7.2","v0.7.20","v0.7.21","v0.7.22","v0.7.23","v0.7.24","v0.7.25","v0.7.26","v0.7.27","v0.7.28","v0.7.29","v0.7.3","v0.7.31","v0.7.32","v0.7.33","v0.7.4","v0.7.5","v0.7.6","v0.7.7","v0.7.8","v0.7.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22050.json","vanir_signatures":[{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-055d4439","digest":{"length":800,"function_hash":"198377515037861313859511217941252428272"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_signal_handler_reset"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-07ec9600","digest":{"line_hashes":["306835095047024991935153296056692964926","252256214802010088958653460143401334606","44259970585852496002277103316084851499","244457627349776091400760324938298677820","159083487960487129462909930135995676650","259196456976379190316615135973407413909","186741837240865360718606423805418029422","124912331527607666520373132739772383704","129214698531950340823194866444014279188","2477199907988409429979367846896978735","165094965905783459388830705213628562869","11021652834647593603736470268815616741","275050131334018408302871180574407488729","305522927707309067524186850843369480971","182677949585088240336621519899315787301","148889943908960484130564160257394318456","277362629647182580101297707603071025229","226103330201899974592300102349316652709","296470559092883407205600309508736166195","321721347502130005693304432479911288317","22506727936151712957401222106247619179","191522672563424080744588345095439909870","38726732730813861778145685246713379770","196281029717787017085000421015805654116","295156647258177598026692777229807794396","191522672563424080744588345095439909870","38726732730813861778145685246713379770","196281029717787017085000421015805654116","179151660151351899664850407133719610447"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/fio.h"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-09435262","digest":{"line_hashes":["123581379880499789456584470810943642928","287248133357639919013123136616958137615","39821935887551244247831192935588429408","300327096748159712824971172978032885871"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/fiobj4fio.h"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-0be571d2","digest":{"length":226,"function_hash":"266928469100969845482775744494701866576"},"deprecated":false,"target":{"file":"ext/iodine/fio_tls_missing.c","function":"fio_tls_destroy"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-0dfa7ac4","digest":{"line_hashes":["208764731900957020370346892019659396109","209899787249886689789676736286233012607","107086977595780265753371718993034807781","255586319606684811921426520302798361390","206487290610339583284883340623296347805","209899787249886689789676736286233012607","328835475208145458612265148847499113689","111874850584239494505271906267572310068","339924118251058500192839388407359461442","70002832451502409448863018724046786296","251671963531124845570743816255431207879","325580214997075466968536062959434636962","205282619613069993620613765471558078094","102976302529964012441079627231386599950","273609026837136161518132455768079027667","197878897379847545818903898191442480975","142152899142907152525243061818889319713","302149141326591065946719486084361568024","248239243438405240442225945260153128529","121571031545992772929120276306900990291","311991526040655846689109732242832793741","236486007291300644971145701391232465239","238676432306479257983247831184831647973","149132565806969770335568385260062179204","130600100584445844140214063882692721647","255146880172956492976471907693831774019","227691015709783519290417511704684800304"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/http1.c"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-156b611d","digest":{"length":2111,"function_hash":"129013036702031728587360596491483544674"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_flush"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-1a8bd2b3","digest":{"line_hashes":["242320006687829376778087259135964923900","93996420465986760703292535896684380332","326647670546311994725919980201919285878","270320910063287517352064701341409225975","117139601513527110786532938565071829527","238090187688258463715994429281290969575","272551163123712853888983111555432200934","107130918023500259968629936771747406785","315706508370248114248316844032975186871","298325923299128386085833730425157905536","91105906329664565625061620969279703905","160976034766477037842041319373183923600","256133077907057374937366366116840487882","221052082956330621198288849834604351162","45282382805769784574818233417466002169","46627520607556879933490929710614132224"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/fio_cli.c"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-1ded752d","digest":{"length":4527,"function_hash":"248359984530794508484335151159038307726"},"deprecated":false,"target":{"file":"ext/iodine/fio_cli.c","function":"fio_cli_set_arg"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-21cd8303","digest":{"line_hashes":["3847646527963432439538259230727378646","249438058600543554506090896570974666479","325791701820271047219517503916030565014","283692896854287426303879886344740191180","314259074877656306724438711481688801673","305562696837039717153281011259658298152","91653128479411255604572985543811786934","95239266023137188600323092332454577607","313212326480761106234646668311245758212","170262568952318876023252709773549267715","275896156461476988306662641784524603992","155598048038611359658975533772363544411","85301577993574033915308990156069763191","202521174391510682179617260253317548672","290156881391827497728513526795303217425","186600611401754461897543778146992381608","179240992244014109566260670800559289929","320198778246005255301195049287903559291","135099016817569758849766556471853834050","184590063483463523925418924855054566756","168026453360083746744733202839193113046","271825364205754450269547792224278944050","143054167941858676309661150048216508277","152716139709267067427169471546246005944","93924390898672089404040041673659685233","291707610591172398786157077834774766034","169382019523087916500341485451905637114","249216713908658542400579502186743462235","336232772858564052979779424448385320475","26640972589070249162697490328910696891","194626396102044320084375784748136894966","61362169461707320353003564080437334478","172816316612483859907805846099813653317","23787020172411145778075550602562910112","108971111862159686532046441749420562090","283741535622006024274496912093993116938","265792036250117507157313107581434358817","123854184803882967794006282732028572659","211913710060952179630498402078186756107","123455560233674145471028261334460241110","209968435517522369714918234221679263724","67605124411956691029185146394436314624","298438779841509337855407732167254050121","332916616279082514098802171455513773559","226841568009501237156833407463525303526","327137462366791174646671157966683629952","64609202773384812842851483635372311111","177276234408804169278899897022694264567","280038760165818484352232990955371348151","272830607014555418077597768348753247382","186201678900398913399596120882492826003","137190792736807157078933440088166729370","233302468583679775802177628812770972915","158112484435773574637221319403780868883","139658031677472819101528655367672523096","318710653940465158376662010277806731739","241787996887222575098842141521351900510","247436448812093885985733034127346479377","286591983126483965880070595593891476052","234888447324361800559849808151305741165","257683671080051238474392989747316820756","224665881961828571162877698036163264328","226507958117664096594636210199488329436","334280858875600352063758232342950527992","55951379771347808987605178358790975394","251327026759238584453866583556160414747"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/fio.c"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-223cf773","digest":{"length":293,"function_hash":"18281227524404389057370710594241604948"},"deprecated":false,"target":{"file":"ext/iodine/http1.c","function":"http1_on_request"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-279848d2","digest":{"length":780,"function_hash":"211252431253196394515623971850121077916"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_signal_handler_setup"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-29c2d7a3","digest":{"line_hashes":["168893291226037675093973117257799301111","146681726989945002917834536093676618379","23943841674606956798783994226607379740","248248434034428127516242042917013505669","191308500904521929716463889273329549521","13749670982161812646855302235333109355","12444422781526072477206863450927648608","280541489656150866585470130162917326239"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/iodine_mustache.c"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-38660ae8","digest":{"length":366,"function_hash":"242417480193540603525351161658982870668"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_lib_destroy"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-3bffb626","digest":{"line_hashes":["280908511885717199073092994876779728990","141487355438291024093944390178844680118","180353999486103099113516280654316265606","87437097636883095138340213211039234010","147418283013791003563732145285546263846","321375816718064340927026938347507233439","131385606014775118444072173740099689513","133785737963593946858725757041742836200","111692144312521596210853493399769694564","179246416394697362893777095854042226275","265378723104373370574073702140273255104","117623707540903541600651247244882179647","108430555818681263356303663346961678483","170828622126793512120541982456922920223","211239919835382757324312488472990086075","132530916178052509688893324645495862085"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/http.c"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-4437d649","digest":{"line_hashes":["56576386603803166065328684709502257884","224074712244377232191475308205727464685","122243235198166163450523841190726088810","70123090624872474067758601365692472334","136534908303895042437056961826278680244","110966083076143275449638719511197075220","121336461826958048919402360890298910309"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/fio_tls_missing.c"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-4d28767d","digest":{"length":5399,"function_hash":"46638690044837430626349314112288833521"},"deprecated":false,"target":{"file":"ext/iodine/http.c","function":"http_sendfile2"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-5f806596","digest":{"length":200,"function_hash":"127745843401041689553177101409169416566"},"deprecated":false,"target":{"file":"ext/iodine/http1.c","function":"http1_on_ready"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-5fdf847e","digest":{"length":314,"function_hash":"326649285915850453462844758531638553294"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_cluster_listen_on_close"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-69eb17f1","digest":{"length":297,"function_hash":"42662463499097981455286215225020182809"},"deprecated":false,"target":{"file":"ext/iodine/http1.c","function":"http1_on_response"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-6eeeca81","digest":{"line_hashes":["255500364796310315191777693969758465658","192084490608897503639840050553659368648","238699211838738791062097417695674601357","296454173358443856893113488094401794577","152929563739340008953673921531430856783"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/fiobj_numbers.h"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-7014c0e5","digest":{"length":185,"function_hash":"261761220633011101962860117715236786838"},"deprecated":false,"target":{"file":"ext/iodine/fio.h","function":"fio_sendfile"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-70750e7d","digest":{"line_hashes":["70123090624872474067758601365692472334","136534908303895042437056961826278680244","110966083076143275449638719511197075220","121336461826958048919402360890298910309"],"threshold":0.9},"deprecated":false,"target":{"file":"ext/iodine/fio_tls_openssl.c"},"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-77258361","digest":{"length":257,"function_hash":"282972240868781709715833906353050024345"},"deprecated":false,"target":{"file":"ext/iodine/http1.c","function":"http1_on_error"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-7df96507","digest":{"length":515,"function_hash":"194928595838680424926988083859145878272"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_cluster_client_handler"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-82966ce0","digest":{"length":987,"function_hash":"208662297930421725645092592916183382689"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_worker_cleanup"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-89aa8cd6","digest":{"length":164,"function_hash":"133484124071906007445097548894373170391"},"deprecated":false,"target":{"file":"ext/iodine/fio.h","function":"fio_throttle_thread"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-ac6640eb","digest":{"length":1401,"function_hash":"14167535247897847132588924159911863310"},"deprecated":false,"target":{"file":"ext/iodine/http1.c","function":"http1_consume_data"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-b55ce65e","digest":{"length":504,"function_hash":"90237776732972266333223823949748661639"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"sig_int_handler"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-c0d8629f","digest":{"length":683,"function_hash":"26932079826402610672831521326187608734"},"deprecated":false,"target":{"file":"ext/iodine/iodine_mustache.c","function":"fiobj_mustache_find_obj_absolute"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-c202bc98","digest":{"length":2761,"function_hash":"17402096314329207663250208113530514467"},"deprecated":false,"target":{"file":"ext/iodine/iodine_mustache.c","function":"iodine_mustache_new"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-d7b8bcbb","digest":{"length":291,"function_hash":"148364738963077223552247942436860460110"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_timer_calc_due"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-dbcde291","digest":{"length":284,"function_hash":"68785889587176007020818173604086088645"},"deprecated":false,"target":{"file":"ext/iodine/fiobj4fio.h","function":"fiobj_send_free"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-edbf7b3b","digest":{"length":226,"function_hash":"266928469100969845482775744494701866576"},"deprecated":false,"target":{"file":"ext/iodine/fio_tls_openssl.c","function":"fio_tls_destroy"},"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889","id":"CVE-2024-22050-f2248cb8","digest":{"length":272,"function_hash":"240180397927543958400852640740971243201"},"deprecated":false,"target":{"file":"ext/iodine/fio.c","function":"fio_cluster_signal_children"},"signature_version":"v1","signature_type":"Function"}],"vanir_signatures_modified":"2026-04-12T08:03:51Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}