| Titre | antlr ANTLR4 4.13.2 Path Traversal tokenVocab File Read |
|---|
| Description | The `tokenVocab` grammar option in ANTLR4 specifies a `.tokens` vocabulary file to import. The option value is used directly to construct a file path as `lib_directory + "/" + vocabName + ".tokens"` without any path traversal validation. An attacker-controlled grammar file (or library directory path) can read arbitrary `.tokens` files from anywhere on the filesystem, with the file content appearing verbatim in error messages. Confirmed: ANTLR4 4.13.2 reads and reports the content of `/tmp/secret_tokens.tokens` when `tokenVocab=secret_tokens` and `-lib /tmp` are specified. |
|---|
| La source | ⚠️ https://github.com/wooyun123/wooyun/issues/8 |
|---|
| Utilisateur | jiazhou (UID 89028) |
|---|
| Soumission | 27/05/2026 12:14 (il y a 1 mois) |
|---|
| Modérer | 27/06/2026 20:28 (1 month later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 374497 [antlr ANTLR4 jusqu’à 4.13.2 tokenVocab Grammar Option TokenVocabParser.java getImportedVocabFile directory traversal] |
|---|
| Points | 20 |
|---|