CVE-2024-22050

Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/advisories/GHSA-85rf-xh54-whp3	Patch Third Party Advisory
https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889	Patch
https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3	Vendor Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-85rf-xh54-whp3	Patch Third Party Advisory
https://github.com/advisories/GHSA-85rf-xh54-whp3	Patch Third Party Advisory
https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889	Patch
https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3	Vendor Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-85rf-xh54-whp3	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:boazsegev:iodine:*:*:*:*:*:ruby:*:*

History

29 Nov 2025, 02:15

Type	Values Removed	Values Added
Summary	~~(en) Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs.~~	(en) Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs.

Information

Published : 2024-01-04 21:15

Updated : 2025-11-29 02:15

NVD link : CVE-2024-22050

Mitre link : CVE-2024-22050

CVE.ORG link : CVE-2024-22050

JSON object : View

Products Affected

boazsegev

iodine

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-22050", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-01-04T21:15:10.100", "references": [{"url": "https://github.com/advisories/GHSA-85rf-xh54-whp3", "tags": ["Patch", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-85rf-xh54-whp3", "tags": ["Patch", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/advisories/GHSA-85rf-xh54-whp3", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://vulncheck.com/advisories/vc-advisory-GHSA-85rf-xh54-whp3", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs."}, {"lang": "es", "value": "Path traversal en el servicio de archivos est\u00e1ticos en Iodine inferior a 0.7.33 permite a un atacante remoto no autenticado leer archivos fuera de la carpeta p\u00fablica a trav\u00e9s de URL maliciosas."}], "lastModified": "2025-11-29T02:15:50.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:boazsegev:iodine:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "259C2480-6121-490C-8B3A-911E14C61AC7", "versionEndIncluding": "0.7.33"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}