The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly issued a security alert, stressing the importance for software developers to address path traversal vulnerabilities before releasing their products.
Path traversal, also referred to as directory traversal or climbing, poses a significant risk in software development. This vulnerability allows threat actors to access sensitive files and directories, particularly in web applications or systems that construct file paths based on user input without proper validation.
Despite being well documented for over two decades, path traversal remains a persistent issue in software products. The agencies highlight that threat actors consistently exploit this vulnerability class, particularly targeting sectors like healthcare and public health.
In the recent alert, CISA and the FBI emphasised the urgent need for action from software manufacturers. They expressed concern that these vulnerabilities continue to put customers at risk and have even impacted critical services such as hospital and school operations.
Currently, CISA has identified 55 path traversal vulnerabilities in the Known Exploited Vulnerabilities catalogue, indicating active exploitation in the wild. The agencies urge software manufacturer executives to mandate formal testing to assess their products' susceptibility to these vulnerabilities, referring to OWASP testing guidance.
Additionally, they encourage all software users to inquire with their partners about formal directory traversal testing. Manufacturers are advised to promptly implement mitigations to eliminate this class of defect from their products, stressing the importance of integrating security measures from the initial stages of development.
