GHSA-WQP7-X3PW-XC5R Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows

Summary When serving static files on Windows, StaticFiles resolves the requested path with os.path.realpath. If a UNC path such as \attacker.com\share reaches the resolver, realpath causes the process to open a connection to the remote host over SMB port 445. This is a server-side request forgery...

PT-2026-49554

Summary When serving static files on Windows, StaticFiles resolves the requested path with os.path.realpath. If a UNC path such as attacker.comshare reaches the resolver, realpath causes the process to open a connection to the remote host over SMB port 445. This is a server-side request forgery...

Path Traversal

org.noear:solon-web-staticfiles is vulnerable to Path Traversal. The vulnerability is due to improper validation of user-supplied file paths in StaticMappings.java, allowing an attacker to access arbitrary files using "../filedir"...

com.easy-flowable:easy-flowable-solon-plugin (>=1.0.0 <=1.0.2), com.luomor.pcsms:pcsms-solon-plugin-example (>=1.0.0 <=1.0.1) +17 more potentially affected by CVE-2025-1584 via org.noear:solon-web-staticfiles (>=2.9.2-M1 <=3.0.9-M2)

org.noear:solon-web-staticfiles MAVEN version =2.9.2-M1, =1.0.0, =1.0.0, =2024.3.0, =1.3.0, =20250107, =3.3.4, =1.8.4, =1.3.1, =1.7.8, =1.8.0, =2.9.2, =2.9.2, =2.9.2, =2.9.2, =3.0.10-M1 and more Source cves: CVE-2025-1584 Source advisory: OSV:GHSA-X8Q6-CCHR-P7M6...

com.easy-flowable:easy-flowable-solon-plugin (>=1.0.0 <=1.0.2), com.luomor.pcsms:pcsms-solon-plugin-example (>=1.0.0 <=1.0.1) +17 more potentially affected by CVE-2025-1584 via org.noear:solon-web-staticfiles (>=3.0.0-M1 <=3.0.9-M2)

org.noear:solon-web-staticfiles MAVEN version =3.0.0-M1, =1.0.0, =1.0.0, =2024.3.0, =1.3.0, =20250107, =3.3.4, =1.8.4, =1.3.1, =1.7.8, =1.9.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.10-M1 and more Source cves: CVE-2025-1584 Source advisory: SNYK:JAVA-ORGNOEAR-8745976...

Fedora 37 : python-starlette (2023-b082504356)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-b082504356 advisory. Backport patch for GHSA-v5gw-mw7f-84px Path traversal vulnerability in StaticFiles. Tenable has extracted the preceding description block directly from the...

Path Traversal

starlette is vulnerable to Path Traversal. A remote attacker is able to gain access to sensitive files when the file or directory is exposed via StaticFiles. The vulnerability is exploitable if the file or directory starts with the same name as the StaticFiles directory...

GHSA-V5GW-MW7F-84PX Starlette has Path Traversal vulnerability in StaticFiles

Summary When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is also exposed via StaticFiles which is a path traversal vulnerability. Details The root cause of this issue is the usage of os.path.commonprefix:...

Starlette has Path Traversal vulnerability in StaticFiles

Summary When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is also exposed via StaticFiles which is a path traversal vulnerability. Details The root cause of this issue is the usage of os.path.commonprefix:...