News

U.S. Agencies Issue Warning on Software Path Traversal Vulnerabilities

U.S. Agencies Issue Warning on Software Path Traversal Vulnerabilities
Images are for illustrative purposes only and may not accurately represent reality

Software developers are being warned of the dangers of path traversal vulnerabilities, a prevalent software flaw that could allow hackers to access sensitive files and directories. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint security alert highlighting this issue.

What is Path Traversal?

Path traversal, also known as directory traversal or directory climbing, occurs when web applications or systems dynamically construct file paths based on user input without proper validation or sanitization. This flaw has been a consistent issue for over two decades and is still being exploited by threat actors, particularly in the healthcare and public health sectors.

The Impact on Critical Services

The CISA currently has 55 path traversal vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog. This security loophole has impacted the operation of critical services, including hospitals and schools. Software manufacturers are being called out for continuing to develop products that allow for these exploitations.

Steps to Mitigate Risks

The CISA and FBI urge software makers to require formal testing to determine a product's susceptibility to directory traversal vulnerabilities. Software users should also verify with their partners whether they have conducted this testing. If systems lack appropriate mitigations, immediate action must be taken to eliminate this defect from all products.

The agencies have advised that building security into products from the beginning is crucial in eliminating the risk of directory traversal vulnerabilities.

"Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services," the joint alert stated.

By taking these steps, software developers can enhance the security of their products and protect their customers from potential cyber threats.

Read next