SciTokens Enforcer, Path Traversal Vulnerability (Critical)

Listen to this Post

The vulnerability exists in the SciTokens Enforcer library (versions prior to the fix) where the `_check_scope` and `_scope_path_matches` methods fail to properly validate path scopes. When a token includes a scope claim like read:/home/user1/.., the library normalizes the path using urltools.normalize_path, which calls posixpath.normpath. This resolves the `..` component, turning the allowed path into /home. The requested path (e.g., /home/user2) is then compared using startswith(allowed_path + '/'), which succeeds because `/home/user2` starts with /home/. This bypasses intended directory isolation. Additionally, URL-encoded dots (%2e%2e) are unquoted during normalization, allowing attackers to hide traversal sequences. A scope like `read:/anything/..` normalizes to read:/, granting access to the entire filesystem. The flawed comparison logic treats the normalized allowed path as a prefix, failing to enforce the originally intended restriction.
Platform: SciTokens Enforcer
Version: 1.9.6
Vulnerability: Path Traversal
Severity: Critical
date: 2026-03-31

Prediction: April 15 2026

What Undercode Say:

Test for path traversal bypass using custom token scope
python3 -c "
import scitokens
t = scitokens.SciToken()
t['iss'] = 'https://scitokens.org'
t['scope'] = 'read:/home/user1/..'
e = scitokens.Enforcer('https://scitokens.org')
print(e.test(t, 'read', '/home/user2')) True if vulnerable
"
Check normalization behavior
python3 -c "
from scitokens.urltools import normalize_path
print(normalize_path('/home/user1/..')) Outputs '/home'
print(normalize_path('/foo/%2e%2e/bar')) Outputs '/bar'
"

Exploit:

Token with malicious scope
token['scope'] = "read:/anything/.."
Accesses /etc/passwd
enforcer.test(token, "read", "/etc/passwd") Returns True

Protection from this CVE

Upgrade to patched version; reject tokens containing `..` or encoded dots before normalization; enforce strict path prefix matching with canonicalization.

Impact

Complete filesystem read access; privilege escalation to any directory; data breach of sensitive files.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top