pygeoapi, Path Traversal, CVE-2026-42351 (Critical)

By /

Listen to this Post

How CVE-2026-42351 Works

  1. The vulnerability exists in pygeoapi’s STAC FileSystemProvider plugin, which handles directory traversal for STAC collection resources.
  2. The vulnerable function is FileSystemProvider.get_data_path(), which constructs file system paths via raw string concatenation.
  3. In versions 0.23.0 through 0.23.2, the function `get_data_path` used `os.path.join(self.data, dirpath)` to build the target path.
  4. The `dirpath` parameter was taken directly from user-controlled URL input without any sanitization.
  5. An attacker can include path traversal sequences (e.g., ..) in the requested directory path.
  6. Because no proxy or web front-end normalizes these sequences, the raw `..` values reach the vulnerable code.
  7. The `os.path.join` call then blindly concatenates the base directory (self.data) with the attacker-controlled dirpath.
  8. This allows an attacker to navigate outside the intended STAC collection root directory.
  9. The issue only manifests when the configuration defines a resource of type `stac-collection` and no upstream normalization is present.
  10. By crafting a request like /collections/../sensitive/../etc/passwd, an unauthenticated user can access arbitrary files.
  11. The lack of authentication means any external user can exploit this to read system files.
  12. The patch, introduced in commit bf25b86, adds an explicit check: if '..' in dirpath: raise ProviderInvalidQueryError.
  13. This check blocks any request containing a `..` sequence before path construction occurs.
  14. The vulnerable code is located in `pygeoapi/provider/filesystem.py` in the `FileSystemProvider` class.
  15. A test case was added to verify that `../../` sequences are properly rejected.
  16. The vulnerability is considered a Path Traversal (CWE-22) with high severity.
  17. Exploitation requires no authentication and can lead to full directory listing exposure.
  18. The attack is trivial to execute via a standard web request with crafted URL parameters.
  19. The issue was privately reported and fixed in pygeoapi 0.23.3.
  20. Users are strongly advised to upgrade or apply the workaround immediately.

DailyCVE Form

Platform: python (pip)
Version: 0.23.0 – 0.23.2
Vulnerability: Path Traversal
Severity: High (CVSS 7.5)
date: 2026-04-29

Prediction: 2026-04-29 (0.23.3)

Analytics under heading What Undercode Say:

Check vulnerable pygeoapi version
pip show pygeoapi | grep Version
Detect potential exploitation attempt in logs
grep -E '../(../)+' /var/log/pygeoapi/access.log
Simulate attack curl (for testing only)
curl -k "https://target:5000/collections/../../../../etc/passwd"

Exploit:

An unauthenticated attacker sends an HTTP GET request to a pygeoapi endpoint serving a STAC collection resource, inserting `../` sequences into the URL path. No authentication is required, and the server returns the contents of the traversed directory or file. A sample exploit string:

`GET /collections/../../../../var/lib/pygeoapi/secrets.json`

The server concatenates the base path (e.g., /data/stac/) with the malicious path, resulting in access to files outside the intended root.

Protection from this CVE

  • Upgrade: Install pygeoapi version 0.23.3 or later using pip install --upgrade pygeoapi.
  • Workaround: If upgrading is not possible, disable all STAC collection‑based resources in the pygeoapi configuration file (pygeoapi.yml).
  • Network defense: Deploy a reverse proxy (e.g., Nginx, Apache) that normalizes URL paths and rejects requests containing `..` sequences.
  • Code review: Ensure any custom providers implement path sanitization similar to the commit bf25b86.

Impact

Successful exploitation allows an unauthenticated remote attacker to read any file or list any directory on the server’s file system that the pygeoapi process has access to. This can lead to leakage of sensitive configuration files, credentials, source code, and other proprietary data. The vulnerability can also be chained to disclose internal system information, potentially enabling further attacks. The primary impact is on confidentiality; no loss of integrity or availability is directly caused by this flaw.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top