Intel

AIKIDO-2026-39391

expo-file-system is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

79

High Risk

This Affects:

JSexpo-file-system
0.0.1 - 19.0.22
Fixed in 19.0.23
55.0.0 - 55.0.21
Fixed in 55.0.22
56.0.0 - 56.0.6
Fixed in 56.0.7
Are you affected? Scan for Free

TL;DR

The createFile, createDirectory, and rename APIs in expo-file-system on Android accept caller-supplied paths without confining them to the intended parent directory. A path containing traversal segments can escape the designated directory and create, rename, or overwrite files at arbitrary locations on the device that the application has access to. The fix validates resolved paths against the intended parent directory before performing any file operation.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your Android application passes untrusted input to createFile, createDirectory, or rename.

Background info

expo-file-system is vulnerable to Path Traversal in versions 0.0.1 - 19.0.22, 55.0.0 - 55.0.21 and 56.0.0 - 56.0.6.

How to fix this

Upgrade the expo-file-system library to the patch version.