SciTokens C++ permits a library user to process path-based scopes contained in a token and normalizes those paths by collapsing ".." components. Because the library does not reject or control such path traversal, an attacker can supply a scope that includes parent‑directory references and thereby broaden the effective authorization beyond the intended directory. This results in an unauthorized access condition where a token granting access to a sub‑path is transformed into a token that grants access to higher‑level paths, enabling privilege escalation within the application.

The vulnerability affects the SciTokens C++ library distributed under the scitokens:scitokens-cpp identifier. All releases prior to version 1.4.1 are impacted. The fix was introduced in version 1.4.1, which corrects the normalization behavior.

The vulnerability carries a CVSS score of 8.3, indicating high severity, but its EPSS score is below 1 % and it is not listed in the CISA KEV catalog, suggesting a low to moderate likelihood of exploitation in the wild. Exploitation requires an attacker to craft or obtain a token containing a path‑based scope and present it to an application that uses the vulnerable library; thus the attack surface is tied to token acceptance points, which can be remote or local depending on the service design. Attacks would exploit the library’s incorrect handling of path traversal to gain access to resources beyond the intended scope.