AIKIDO-2025-10502
ipx is vulnerable to Path Traversal
81
High Risk
This Affects:
ipxTL;DR
Affected versions of this package are vulnerable to a Path Traversal via prefix bypass, where insufficient path validation occurs when the base directory is defined, allowing malicious inputs that share an initial substring with the target directory. It happens because the sanitization logic fails to distinguish between the exact base directory and user-supplied paths containing the same prefix, treating them as valid. An attacker can exploit this by crafting paths that combine directory traversal sequences (../) with deceptive prefixes matching the start of the base directory name, thereby bypassing security checks to access arbitrary files outside the restricted directory, leading to unauthorized information disclosure or system compromise.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
ipx is vulnerable to Path Traversal in versions 1.0.0 - 1.3.1, 2.0.0 - 2.1.0 and 3.0.0 - 3.1.0.
How to fix this
Upgrade the ipx library to the patch version.
Links
GitHub Releases
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant