{"ecosystem":"go","package":"github.com/valyala/fasthttp","version":null,"bugs":[{"id":1328,"ecosystem":"go","package_name":"github.com/valyala/fasthttp","affected_version":null,"fixed_version":"1.34.0","bug_id":"osv:GHSA-fx95-883v-4q4h","title":"Path traversal in github.com/valyala/fasthttp","description":"The package github.com/valyala/fasthttp before 1.34.0 is vulnerable to Directory Traversal via the ServeFile function, due to improper sanitization. It is possible to be exploited by using a backslash %5c character in the path. **Note:** This security issue impacts Windows users only.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21221","labels":["CVE-2022-21221","GO-2022-0355"],"created_at":"2026-04-19T04:32:48.310242+00:00","updated_at":"2026-04-19T04:32:48.310242+00:00"},{"id":1329,"ecosystem":"go","package_name":"github.com/valyala/fasthttp","affected_version":null,"fixed_version":"1.34.0","bug_id":"osv:GO-2022-0355","title":"Path traversal in github.com/valyala/fasthttp","description":"The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory.\n\nURL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/valyala/fasthttp/commit/6b5bc7bb304975147b4af68df54ac214ed2554c1","labels":["CVE-2022-21221","GHSA-fx95-883v-4q4h"],"created_at":"2026-04-19T04:32:48.311141+00:00","updated_at":"2026-04-19T04:32:48.311141+00:00"}],"total":2,"_cache":"miss"}