LogicalBreach Academy

Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes | Free Bug Bounty Writeup | LogicalBreach Academy

Back

Path TraversalCVSS 6.7Medium

Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes

hackerone-reports

April 4, 2026

13 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3634571 by tipsen

Summary:

protodump uses descriptor-controlled paths (name/go_package) in output filename construction and then enforces containment with a lexical strings.HasPrefix check after EvalSymlinks. That check is bypassable with ../ traversal into existing prefix-matching sibling directories, enabling writes outside the intended output directory.

Steps To Reproduce:

First of all, build the protodump
Then, create a malicious input blob (descriptor name = ../out_pwn/evil.proto):

name = b'../out_pwn/evil.proto'
with open('/tmp/evil.bin', 'wb') as f:
    f.write(bytes([0x0a, len(name)]) + name + b'\x00')

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Discussion

No comments yet.

Be the first to share your thoughts