CVE-2022-31259
Description
The route lookup process in beego before 1.12.9 and 2.x before 2.0.3 allows access-control bypass by appending .xml to route segments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The route lookup process in beego before 1.12.9 and 2.x before 2.0.3 allows access-control bypass by appending .xml to route segments.
Vulnerability
The route lookup process in the beego web framework (versions before 1.12.9 and 2.x before 2.0.3) contains a flaw in how it matches URL patterns. When a route such as /p1/p2/:name is configured, the router incorrectly treats variations like /p1.xml/p2/:name or /p1/p2.xml/:name as matching the route. This allows an attacker to append .xml (or similar extensions) to path segments and still be routed to the handler for the original pattern. This bypasses any access controls that rely on the exact path structure. This issue is tracked as bug #4946 [3] and was fixed in PR #4958 [2].
Exploitation
An attacker with network access to the application can send a crafted HTTP request where .xml is inserted into a route segment. No special authentication or privileges are required beyond the ability to make HTTP requests to the target. For example, if the protected route is /admin/settings/:name, an attacker can request /admin.xml/settings/:name or /admin/settings.xml/:name and the router will still match the configured route, potentially accessing the handler that was intended to be protected. The exact attack sequence involves simply appending .xml to a desired path segment in the URL.
Impact
Successful exploitation allows an attacker to bypass access controls enforced by the application's route definitions. This can lead to unauthorized access to sensitive endpoints, such as administrative panels, user data views, or other restricted functionality. The impact aligns with a partial loss of confidentiality and integrity, as the attacker may read or modify resources that should be protected. The privilege level obtained depends on what the targeted route handler provides; it may be a low-privilege user or a full administrative login page.
Mitigation
The vulnerability is fixed in beego versions 1.12.9 and 2.0.3. Users should upgrade to the latest patched versions. If upgrading immediately is not possible, a workaround is to implement additional input validation or middleware that rejects requests containing .xml in path segments. No known exploits have been reported in the wild, and this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
References: [1], [2], [3], [4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/beego/beego/v2Go | < 2.0.3 | 2.0.3 |
github.com/beego/beegoGo | < 1.12.9 | 1.12.9 |
Affected products
3- ghsa-coords2 versions
< 1.12.9+ 1 more
- (no CPE)range: < 1.12.9
- (no CPE)range: < 2.0.3
Patches
2228576173a23Merge pull request #4958 from flycash/dev1.x
1 file changed · +1 −1
tree.go+1 −1 modified@@ -341,7 +341,7 @@ func (t *Tree) match(treePattern string, pattern string, wildcardValues []string if runObject == nil && len(t.fixrouters) > 0 { // Filter the .json .xml .html extension for _, str := range allowSuffixExt { - if strings.HasSuffix(seg, str) && strings.HasSuffix(treePattern, seg) { + if strings.HasSuffix(seg, str) && pattern == "" { for _, subTree := range t.fixrouters { // strings.HasSuffix(treePattern, seg) avoid cases: /aaa.html/bbb could access /aaa/bbb if subTree.prefix == seg[:len(seg)-len(str)] {
3 files changed · +6 −2
CHANGELOG.md+1 −0 modified@@ -8,6 +8,7 @@ - [Support lifecycle callback](https://github.com/beego/beego/pull/4918) - [Append column comments to create table sentence when using postgres](https://github.com/beego/beego/pull/4940) - [logs: multiFileLogWriter uses incorrect formatter](https://github.com/beego/beego/pull/4943) +- [fix issue 4946 CVE-2022-31259](https://github.com/beego/beego/pull/4954) # v2.0.2 See v2.0.2-beta.1
server/web/tree.go+2 −2 modified@@ -341,9 +341,9 @@ func (t *Tree) match(treePattern string, pattern string, wildcardValues []string if runObject == nil && len(t.fixrouters) > 0 { // Filter the .json .xml .html extension for _, str := range allowSuffixExt { - if strings.HasSuffix(seg, str) && strings.HasSuffix(treePattern, seg) { + // pattern == "" avoid cases: /aaa.html/aaa.html could access /aaa/:bbb + if strings.HasSuffix(seg, str) && pattern == "" { for _, subTree := range t.fixrouters { - // strings.HasSuffix(treePattern, seg) avoid cases: /aaa.html/bbb could access /aaa/bbb if subTree.prefix == seg[:len(seg)-len(str)] { runObject = subTree.match(treePattern, pattern, wildcardValues, ctx) if runObject != nil {
server/web/tree_test.go+3 −0 modified@@ -122,6 +122,9 @@ func init() { notMatchTestInfo(abcSuffix, "/abc/suffix.html/a"), matchTestInfo(abcSuffix, "/abc/suffix/a", nil), notMatchTestInfo(abcSuffix, "/abc.j/suffix/a"), + // test for fix of issue 4946 + notMatchTestInfo("/suffix/:name", "/suffix.html/suffix.html"), + matchTestInfo("/suffix/:id/name", "/suffix/1234/name.html", map[string]string{":id": "1234", ":ext": "html"}), } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-qx32-f6g6-fcfrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31259ghsaADVISORY
- github.com/beego/beego/commit/228576173a236c81a2122923fcf8099ad294e009ghsaWEB
- github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2ddghsaWEB
- github.com/beego/beego/issues/4946ghsaWEB
- github.com/beego/beego/pull/4954ghsaWEB
- github.com/beego/beego/pull/4958ghsaWEB
- github.com/beego/beego/tree/v2.0.2ghsaWEB
- pkg.go.dev/vuln/GO-2022-0463ghsaWEB
- beego.vipmitre
News mentions
0No linked articles in our index yet.