GHSA-vj8v-p5vw-m6v5: xrootd has path traversal in directory listing that allows access to the parent directory via trailing ".." pattern

April 10, 2026

A path traversal vulnerability in XRootD allows users to escape the exported directory scope and enumerate the contents of the parent directory by appending /.. (specifically without trailing slash) to an exported path in xrdfs ls or HTTP PROPFIND requests.

This bypass ignores the all.export restriction.

References

github.com/advisories/GHSA-vj8v-p5vw-m6v5
github.com/xrootd/xrootd
github.com/xrootd/xrootd/commit/45efac7267a115ca4f2102214498e8cb011eb69b
github.com/xrootd/xrootd/security/advisories/GHSA-vj8v-p5vw-m6v5

Code Behaviors & Features

Detect and mitigate GHSA-vj8v-p5vw-m6v5 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →