CVE-2022-29804 in Google
Summary
by MITRE • 08/11/2022
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/23/2026
The vulnerability identified as CVE-2022-29804 represents a critical path traversal issue affecting Go applications running on Windows systems. This flaw exists in the path/filepath package's Clean function implementation prior to Go versions 1.17.11 and 1.18.3, where the function fails to properly handle certain invalid path sequences that could be manipulated to bypass security restrictions. The issue stems from how the Clean function processes paths containing malformed components that should normally be rejected or properly normalized but instead get converted into valid absolute paths that maintain traversal capabilities.
The technical implementation flaw occurs when the Clean function encounters specific invalid path patterns that contain sequences such as multiple consecutive separators or malformed directory references. Under normal circumstances, these invalid paths should either be rejected or properly normalized to prevent security issues. However, the buggy implementation in older Go versions allows certain combinations of path separators and directory references to be converted into absolute paths that retain their traversal capabilities. This conversion process essentially creates a situation where malicious inputs can be transformed into paths that bypass intended security boundaries, enabling attackers to access files or directories outside the expected application scope.
From an operational perspective, this vulnerability creates significant risks for applications that rely on path validation and security controls, particularly in web applications or services that handle user-provided paths. Attackers could exploit this weakness by crafting malicious path inputs that, when processed through the Clean function, would result in absolute paths that traverse the file system beyond intended boundaries. The impact extends to applications that perform file operations, directory listings, or any functionality that depends on path normalization, potentially allowing unauthorized file access, data exfiltration, or system compromise. This vulnerability particularly affects Windows environments where the path handling differs significantly from Unix-like systems, making it more challenging to detect and prevent through standard cross-platform security measures.
The vulnerability aligns with CWE-22 Directory Traversal and follows patterns commonly associated with path normalization flaws that have been documented in various security frameworks. From an ATT&CK perspective, this issue maps to techniques involving privilege escalation and unauthorized access through path manipulation. Organizations should immediately upgrade to Go versions 1.17.11 or 1.18.3 where this issue has been resolved, as the fix ensures proper handling of invalid path sequences during normalization. Additionally, defensive programming practices should include explicit validation of path inputs before processing, implementation of additional security layers beyond the standard Clean function, and regular security auditing of path handling code. The fix implemented in the newer Go versions ensures that invalid path sequences are properly rejected or normalized in a way that prevents the creation of traversal-capable absolute paths, thereby eliminating the attack vector while maintaining application functionality.