{"ecosystem":"cargo","package":"tower-http","version":null,"bugs":[{"id":902,"ecosystem":"cargo","package_name":"tower-http","affected_version":"0.2.0","fixed_version":"0.2.1","bug_id":"osv:GHSA-qrqq-9c63-xfrg","title":"tower-http's improper validation of Windows paths could lead to directory traversal attack","description":"`tower_http::services::fs::ServeDir` didn't correctly validate Windows paths, meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem.\n\nThis only impacts Windows. Linux and other unix likes are not impacted by this.\n\nSee [tower-http#204] for more details.\n\n[tower-http#204]: https://github.com/tower-rs/tower-http/pull/204\n","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/tower-rs/tower-http/pull/204","labels":["RUSTSEC-2022-0043"],"created_at":"2026-04-19T04:32:11.146960+00:00","updated_at":"2026-04-19T04:32:11.146960+00:00"},{"id":904,"ecosystem":"cargo","package_name":"tower-http","affected_version":"0.2.0","fixed_version":"0.2.1","bug_id":"osv:RUSTSEC-2022-0043","title":"Improper validation of Windows paths could lead to directory traversal attack","description":"`tower_http::services::fs::ServeDir` didn't correctly validate Windows paths\nmeaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed\nand respond with the contents of `c:/windows/web/screen/img101.png`. Thus users\ncould potentially read files anywhere on the filesystem.\n\nThis only impacts Windows. Linux and other unix likes are not impacted by this.\n\nSee [tower-http#204] for more details.\n\n[tower-http#204]: https://github.com/tower-rs/tower-http/pull/204","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/tower-http","labels":["GHSA-qrqq-9c63-xfrg"],"created_at":"2026-04-19T04:32:11.148353+00:00","updated_at":"2026-04-19T04:32:11.148353+00:00"},{"id":903,"ecosystem":"cargo","package_name":"tower-http","affected_version":"0.2.0","fixed_version":"0.2.1","bug_id":"osv:GHSA-wwh2-r387-g5rm","title":"tower-http's improper validation of Windows paths could lead to directory traversal attack","description":"`tower_http::services::fs::ServeDir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/tower-rs/tower-http/pull/204","labels":[],"created_at":"2026-04-19T04:32:11.147883+00:00","updated_at":"2026-04-19T04:32:11.147883+00:00"}],"total":3,"_cache":"miss"}