CVE-2022-25937: Path traversal vulnerability in glance

February 13, 2023 (updated March 21, 2025)

Versions of the package glance before 3.0.9 are vulnerable to Directory Traversal that allows users to read files outside the public root directory. This is related to but distinct from the vulnerability reported in CVE-2018-3715.

References

gist.github.com/lirantal/c8cfb0398c78e558b7d4ac02aae67809
github.com/advisories/GHSA-3hjh-5hgx-f5wh
github.com/jarofghosts/glance
github.com/jarofghosts/glance/commit/8cecfe90286e0c45a5494067f1b592d0ccfeabac
nvd.nist.gov/vuln/detail/CVE-2022-25937
security.snyk.io/vuln/SNYK-JS-GLANCE-3318395

Code Behaviors & Features

Detect and mitigate CVE-2022-25937 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →