Intel

AIKIDO-2026-999895

shrine is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

59

Medium Risk

This Affects:

RUBYshrine
0.9.0 - 3.7.1
Fixed in 3.8.0
Are you affected? Scan for Free

TL;DR

The file_system storage in shrine builds the full path to a file by joining the configured storage directory with the file id, without validating where the result resolves. When the id comes from attacker-controlled data, such as a tampered cached attachment hash containing ../ sequences, the path can resolve to a location outside of the storage directory. Operations like opening, deleting, checking existence, and uploading then act on arbitrary files on the host filesystem, allowing out-of-bounds file read and deletion. The fix raises Shrine::Error whenever an id would resolve outside of the storage directory.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the file_system storage with file identifiers derived from attacker-controlled data.

Background info

shrine is vulnerable to Path Traversal in versions 0.9.0 - 3.7.1.

How to fix this

Upgrade the shrine library to the patch version.