GHSA-h39g-6x3c-7fq9: Zio has SubFileSystem Path Confinement Bypass via Unresolved `..` Segment

April 18, 2026

SubFileSystem fails to confine operations to its declared sub path when the input path is /../ (or equivalents /../, /..\\). This path passes all validation but resolves to the root of the parent filesystem, allowing directory level operations outside the intended boundary.

References

github.com/advisories/GHSA-h39g-6x3c-7fq9
github.com/xoofx/zio
github.com/xoofx/zio/commit/c8c2f5328e50c1e7ab8c5c405fe70e0bd35f4782
github.com/xoofx/zio/releases/tag/0.22.2
github.com/xoofx/zio/security/advisories/GHSA-h39g-6x3c-7fq9

Code Behaviors & Features

Detect and mitigate GHSA-h39g-6x3c-7fq9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →