expo-file-system is vulnerable to Path Traversal
79
High Risk
The createFile, createDirectory, and rename APIs in expo-file-system on Android accept caller-supplied paths without confining them to the intended parent directory. A path containing traversal segments can escape the designated directory and create, rename, or overwrite files at arbitrary locations on the device that the application has access to. The fix validates resolved paths against the intended parent directory before performing any file operation.
You are affected if you are using a version that falls within the vulnerable range and your Android application passes untrusted input to createFile, createDirectory, or rename.
expo-file-system is vulnerable to Path Traversal in versions 0.0.1 - 19.0.22, 55.0.0 - 55.0.21 and 56.0.0 - 56.0.6.
Upgrade the expo-file-system library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant