Listen to this Post
The vulnerability exists in the SciTokens Enforcer library (versions prior to the fix) where the `_check_scope` and `_scope_path_matches` methods fail to properly validate path scopes. When a token includes a scope claim like read:/home/user1/.., the library normalizes the path using urltools.normalize_path, which calls posixpath.normpath. This resolves the `..` component, turning the allowed path into /home. The requested path (e.g., /home/user2) is then compared using startswith(allowed_path + '/'), which succeeds because `/home/user2` starts with /home/. This bypasses intended directory isolation. Additionally, URL-encoded dots (%2e%2e) are unquoted during normalization, allowing attackers to hide traversal sequences. A scope like `read:/anything/..` normalizes to read:/, granting access to the entire filesystem. The flawed comparison logic treats the normalized allowed path as a prefix, failing to enforce the originally intended restriction.
Platform: SciTokens Enforcer
Version: 1.9.6
Vulnerability: Path Traversal
Severity: Critical
date: 2026-03-31
Prediction: April 15 2026
What Undercode Say:
Test for path traversal bypass using custom token scope
python3 -c "
import scitokens
t = scitokens.SciToken()
t['iss'] = 'https://scitokens.org'
t['scope'] = 'read:/home/user1/..'
e = scitokens.Enforcer('https://scitokens.org')
print(e.test(t, 'read', '/home/user2')) True if vulnerable
"
Check normalization behavior
python3 -c "
from scitokens.urltools import normalize_path
print(normalize_path('/home/user1/..')) Outputs '/home'
print(normalize_path('/foo/%2e%2e/bar')) Outputs '/bar'
"
Exploit:
Token with malicious scope token['scope'] = "read:/anything/.." Accesses /etc/passwd enforcer.test(token, "read", "/etc/passwd") Returns True
Protection from this CVE
Upgrade to patched version; reject tokens containing `..` or encoded dots before normalization; enforce strict path prefix matching with canonicalization.
Impact
Complete filesystem read access; privilege escalation to any directory; data breach of sensitive files.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

