Description
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder's Clean handler (pkg/builder/builder.go:208) and the fetcher's Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder's shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.
Published: 2026-06-10
Score: 3.6 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Fission’s SanitizeFilePath function, which relies on a simple lexical HasPrefix check to ensure a path stays within a safe directory. Because the check does not enforce a path-separator boundary, a sibling directory whose name begins with the safe-directory string can be used to bypass the intended restriction. This flaw allows a tenant that can create or control such a sibling directory to read or write files outside the intended safe directory, potentially compromising application data or executing unintended code within the tenant’s workspace.

Affected Systems

Fission users running any version prior to 1.25.0 are affected. The issue appears in the builder’s Clean handler and the fetcher’s Fetch/Upload handlers, which are part of the Fission open‑source, Kubernetes‑native serverless framework. Version 1.25.0 and later include the patch that corrects the directory boundary check.

Risk and Exploitability

The CVSS score of 3.6 indicates low overall severity, and the EPSS score is not available; the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is likely exercised by a tenant with access to the builder or fetcher endpoints—an inferred scenario because the flaw hinges on tenant ability to pre‑create a sibling directory under the shared volume. The potential impact is read/write beyond the intended safe directory, which could lead to data leakage or code execution within the tenant’s environment. The risk is therefore low to moderate, but mitigation remains recommended.

Generated by OpenCVE AI on June 10, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fission to version 1.25.0 or later, applying the security fix.
  • Restrict the builder and fetcher shared volumes so that tenants cannot create or manipulate sibling directories.
  • Implement additional path validation or normalization checks in custom code to enforce directory boundaries, especially if an upgrade is not immediately possible.

Generated by OpenCVE AI on June 10, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder's Clean handler (pkg/builder/builder.go:208) and the fetcher's Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder's shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.
Title Fission: SanitizeFilePath lexical HasPrefix bypass permits sibling-directory escape
Weaknesses CWE-41
References
Metrics cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T17:31:49.917Z

Reserved: 2026-06-04T21:34:34.427Z

Link: CVE-2026-50568

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T18:17:13.333

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-50568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses