| Title | antlr ANTLR4 4.13.2 Path Traversal tokenVocab File Read |
|---|
| Description | The `tokenVocab` grammar option in ANTLR4 specifies a `.tokens` vocabulary file to import. The option value is used directly to construct a file path as `lib_directory + "/" + vocabName + ".tokens"` without any path traversal validation. An attacker-controlled grammar file (or library directory path) can read arbitrary `.tokens` files from anywhere on the filesystem, with the file content appearing verbatim in error messages. Confirmed: ANTLR4 4.13.2 reads and reports the content of `/tmp/secret_tokens.tokens` when `tokenVocab=secret_tokens` and `-lib /tmp` are specified. |
|---|
| Source | ⚠️ https://github.com/wooyun123/wooyun/issues/8 |
|---|
| User | jiazhou (UID 89028) |
|---|
| Submission | 05/27/2026 12:14 (1 month ago) |
|---|
| Moderation | 06/27/2026 20:28 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 374497 [antlr ANTLR4 up to 4.13.2 tokenVocab Grammar Option TokenVocabParser.java getImportedVocabFile path traversal] |
|---|
| Points | 20 |
|---|