{"id":"JLSEC-2026-612","summary":"Path traversal in the HTTP.jl static file server via separator/absolute path segments","details":"### Description\n\nThe static file server decoded the request path, split it on `/`, and rejected only segments exactly equal to `.` or `..`. Because URL-decoding ran before the `/` split, an encoded backslash (`%5c`), a Windows drive specifier (`C:\\...`), or a UNC prefix (`\\\\host\\share`) survived inside a single segment and passed validation. On Windows, `joinpath` then honored `\\` as a separator and treated drive/UNC segments as absolute, discarding the configured document root.\n\n### Impact\n\nA remote client could read files outside the served document root and, on Windows, trigger outbound SMB/NTLM authentication via UNC paths, by crafting encoded separator, drive, or UNC segments.\n\n### Patches\n\nFixed in HTTP.jl v2.4.0. A new platform-independent segment validator rejects any decoded segment that is `.`/`..`, contains a path separator (`/` or `\\`), contains a colon (drive specifier / alternate data stream), or is absolute; unsafe segments are mapped to a 400 response. A defense-in-depth containment backstop additionally requires the normalized joined path to remain within the normalized root.\n\nReported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.","aliases":["ANT-2026-VHDP7ANW"],"modified":"2026-06-23T17:30:14.031434803Z","published":"2026-06-23T12:59:32.708Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/commit/86bf638796e08661a8b269d2db8ae40ff8cdaf05"},{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/pull/1316"}],"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-612.json"}}],"schema_version":"1.7.5"}