Versions of st
prior to 0.2.5 are affected by a directory traversal vulnerability. Vulnerable versions fail to properly handle URL encoded dots, which caused %2e
to be interpreted as .
by the filesystem, resulting the potential for an attacker to read sensitive files on the server.
Update to version 0.2.5 or later.