{"id":"CVE-2022-25299","summary":"Arbitrary File Write","details":"This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.","aliases":["SNYK-UNMANAGED-CESANTAMONGOOSE-2404180"],"modified":"2026-05-18T05:53:42.116890789Z","published":"2022-02-18T12:55:21.998Z","database_specific":{"cna_assigner":"snyk","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/25xxx/CVE-2022-25299.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/25xxx/CVE-2022-25299.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25299"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-UNMANAGED-CESANTAMONGOOSE-2404180"},{"type":"FIX","url":"https://github.com/cesanta/mongoose/commit/c65c8fdaaa257e0487ab0aaae9e8f6b439335945"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cesanta/mongoose","events":[{"introduced":"0"},{"fixed":"1b82aa02aa3d6fecfc23ed0a94c6917f139de1ad"}]}],"versions":["7.5","7.4","7.3","7.2","7.1","7.0","6.18","6.17","6.16","6.15","6.14","6.13","6.12","6.11","6.10","6.9","6.7","6.6","6.5","6.4","6.3","6.2","6.1","6.0","5.6","5.5_20140120","5.5","5.4","5.3","5.2","5.1","5.0","4.1","4.0","3.8","3.7","3.6","3.5","3.4","3.3","3.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25299.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}