A path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer.
In src/Utils/FileUtil.php, the FileUtil::explodeExtension() function extracts a file's extension by splitting the filename at the last dot. However, the extracted extension is never sanitized. While the application uses a normalizeName() function, this function only cleans the base filename, meaning any path separators (such as /) injected into the extension will survive and be passed into the storeAs() function.
Exploiting this flaw allows an authenticated attacker to manipulate file paths:
- Files can be written outside of the intended tmp directory via path traversal. For more details on the package, visit: https://github.com/code16/sharp
- Existing critical files (such as .env or configuration files) could potentially be overwritten. Review the CWE definition here: https://cwe.mitre.org/data/definitions/22.html (Note: This vulnerability was successfully chained with CWE-434 in a local Proof of Concept to confirm the traversal.)
This issue has been patched by properly sanitizing the extension using pathinfo(PATHINFO_EXTENSION) instead of strrpos(), alongside applying strict regex replacements to both the base name and the extension. The fix is available in pull request #715
Reported by zaurgsynv.
| Score | Percentile |
|---|---|
| 0.07% | 21.89% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-9ffq-6457-8958 ↗ |
| CVE | CVE-2026-33686 ↗ |
| CWE id | Name |
|---|---|
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | code16/sharp | < 9.20.0 | 9.20.0 | — |