Submit #838686: antlr ANTLR4 4.13.2 Path Traversal tokenVocab File Readinfo

Titleantlr ANTLR4 4.13.2 Path Traversal tokenVocab File Read
DescriptionThe `tokenVocab` grammar option in ANTLR4 specifies a `.tokens` vocabulary file to import. The option value is used directly to construct a file path as `lib_directory + "/" + vocabName + ".tokens"` without any path traversal validation. An attacker-controlled grammar file (or library directory path) can read arbitrary `.tokens` files from anywhere on the filesystem, with the file content appearing verbatim in error messages. Confirmed: ANTLR4 4.13.2 reads and reports the content of `/tmp/secret_tokens.tokens` when `tokenVocab=secret_tokens` and `-lib /tmp` are specified.
Source⚠️ https://github.com/wooyun123/wooyun/issues/8
User
 jiazhou (UID 89028)
Submission05/27/2026 12:14 (1 month ago)
Moderation06/27/2026 20:28 (1 month later)
StatusAccepted
VulDB entry374497 [antlr ANTLR4 up to 4.13.2 tokenVocab Grammar Option TokenVocabParser.java getImportedVocabFile path traversal]
Points20

Interested in the pricing of exploits?

See the underground prices here!