VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 13, 2021· Updated Aug 3, 2024

Possible limited path traversal vulnerabily in Apache Commons IO

CVE-2021-29425

Description

Apache Commons IO before 2.7's FileNameUtils.normalize may fail to sanitize inputs like "//../foo", enabling limited path traversal.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Commons IO before 2.7's FileNameUtils.normalize may fail to sanitize inputs like "//../foo", enabling limited path traversal.

Vulnerability

Apache Commons IO versions before 2.7 contain a limited path traversal vulnerability in the FileNameUtils.normalize method. When provided with an improper input string such as "//../foo" or "\\..\foo", the method returns the same value unsanitized instead of normalizing it, potentially allowing access to files in the parent directory [1][2]. The issue is related to how getPrefixLength treats leading "//" as a UNC server name, bypassing further validation in doNormalize [2].

Exploitation

An attacker who can supply a crafted file name string (for example, via a multipart POST request in a web application) can exploit this behavior if the application uses FileNameUtils.normalize to sanitize user input and later constructs a file path by appending the result to a base directory [2]. No special network position beyond normal application access is required; the attacker simply provides the malicious string as user input.

Impact

A successful exploit results in a limited path traversal, allowing the attacker to reference files one directory level above the intended base directory (e.g., reading or writing files via a single "../" step). The traversal is limited to the immediate parent directory and cannot go further above, as described in the CVE. The impact scope includes potential information disclosure or file manipulation depending on how the application uses the normalized path [1][2].

Mitigation

The fix was released in Apache Commons IO version 2.7 [1][3]. Users should upgrade to 2.7 or later. If upgrading is not immediately possible, applications should avoid using FileNameUtils.normalize with untrusted input without additional validation, or implement their own input sanitization that rejects or normalizes paths containing leading slashes or UNC-style prefixes.

References
  1. NVD - CVE-2021-29425
  2. [IO-556] Unexpected behavior of FileNameUtils.normalize may lead to limited path traversal vulnerabilies
  3. xshady-release/CVE-2021-29425 at main · jensdietrich/xshady-release

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
commons-io:commons-ioMaven
< 2.72.7
com.cosium.vet:vetMaven
>= 1.0, <= 3.22
com.virjar:ratel-apiMaven
>= 1.0.0, <= 1.3.6
net.hasor:cobble-langMaven
>= 4.4.1, <= 4.6.2
org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-ioMaven
>= 1.4, <= 1.5
org.checkerframework.annotatedlib:commons-ioMaven
>= 2.6, < 2.72.7
org.smartboot.servlet:servlet-coreMaven
>= 0.1.9, <= 0.6

Affected products

19

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

91

News mentions

0

No linked articles in our index yet.