Directory Traversal
Description
Directory traversal in Tyk Gateway's handleAddOrUpdateApi allows deleting or overwriting arbitrary JSON files via the management API by controlling the APIID parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in Tyk Gateway's handleAddOrUpdateApi allows deleting or overwriting arbitrary JSON files via the management API by controlling the APIID parameter.
Vulnerability
The function handleAddOrUpdateApi in the Tyk Gateway package (all versions up to at least v3.0.1) is vulnerable to directory traversal [1][2]. The APIID provided by the user in API creation requests is used directly as part of the file path when storing or updating API definitions. Specifically, if a file with a name derived from the APIID (with .json appended) already exists at the target path, it is deleted and then re-created with the contents of the API creation request [1]. This allows an attacker to target any JSON file on the filesystem by including path traversal sequences (e.g., ../something) in the APIID parameter. The affected code is at gateway/api.go#L771 in the v3.0.1 branch [1]. No fixed version was available as of the publication date [2].
Exploitation
An attacker must have network access to the Tyk management API and the ability to make API creation requests (no authentication is specified as a barrier; internal access or valid credentials are implied). To exploit, the attacker: (1) creates a JSON file outside the intended API definitions directory (e.g., ../something.json), (2) issues a request to create a new API with APIID set to '../something', and (3) the gateway then deletes that file and overwrites it with the attacker-supplied API definition JSON [1]. The attacker controls the content of the replaced file within the structure of the API definition object.
Impact
Successful exploitation allows an attacker to delete arbitrary JSON files on the Tyk host filesystem or replace them with attacker-chosen content (limited to a JSON object of an API definition). This can lead to denial of service by deleting critical configuration files, or to privilege escalation and further compromise by altering trusted configuration or data files that use JSON format. The attacker gains the ability to write files at the privilege level of the Tyk Gateway process [1][2].
Mitigation
As of the publication date (2021-03-15) and per the Snyk advisory, there is no fixed version available for the github.com/TykTechnologies/tyk/gateway package [2]. The issue is tracked in the Tyk GitHub issue #3390 [1]. Suggested workarounds include restricting access to the management API to trusted users only, and implementing a mapping between external APIIDs and internally generated file names (e.g., UUIDs) as recommended in the issue report [1]. The vulnerability is not listed in CISA KEV as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The handleAddOrUpdateApi function improperly uses user-supplied input as part of file paths, allowing directory traversal."
Attack vector
An attacker can exploit this vulnerability by sending a crafted API creation request to the management API. The APIID parameter in this request can be manipulated to include directory traversal sequences, such as '../../'. This allows the attacker to target arbitrary JSON files on the disk where Tyk is running. If a file with the same name exists, it will be deleted and then overwritten with the attacker's provided API definition [ref_id=1].
Affected code
The vulnerability resides in the handleAddOrUpdateApi function, specifically at the file path gateway/api.go#L771 in version v3.0.1 of the Tyk gateway [ref_id=1]. This function processes the APIID provided by the user and uses it to construct file paths on the disk.
What the fix does
The advisory recommends that Tyk should not use user-defined input directly as part of file names. Instead, it suggests maintaining a mapping between API IDs and gateway-generated filenames, such as UUIDs, to prevent directory traversal [ref_id=1]. The patch, if available, would implement this sanitization or mapping.
Preconditions
- authThe attacker must have access to the Tyk management API.
- inputThe attacker must be able to control the APIID parameter in API creation requests.
Reproduction
1. Create a file outside of Tyk's API definition storage directory, e.g., `../something.json`. 2. Make a request to create an API with an APIID set to `'../something'`. 3. Observe that the file `../something.json` is deleted and then overwritten with the API definition object from the request [ref_id=1].
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/TykTechnologies/tyk/issues/3390mitrex_refsource_MISC
- snyk.io/vuln/SNYK-GOLANG-GITHUBCOMTYKTECHNOLOGIESTYKGATEWAY-1078516mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.