GrepRules
Sign inPublish rule
Explore/cve-2026-33129-bypass-path-traversal-decodeuri

CVE-2026-33129: Bypass Path Traversal Decodeuri

Decoding an HTTP request path using `decodeURI` or `decodeURIComponent` without subsequently removing or resolving dot segments can bypass simple path traversal protections. An attacker can send percent-encoded dot segments (e.g., `%2e%2e`) that bypass literal filters and get decoded into `..`, enabling directory traversal. Ensure you wrap the decoded path i

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0JS
greprules fetch cve-2026-33129-bypass-path-traversal-decodeuri --engine opengrep

Description

Decoding an HTTP request path using `decodeURI` or `decodeURIComponent` without subsequently removing or resolving dot segments can bypass simple path traversal protections. An attacker can send percent-encoded dot segments (e.g., `%2e%2e`) that bypass literal filters and get decoded into `..`, enabling directory traversal. Ensure you wrap the decoded path i

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
146 downloads0 direct146 via packs
· 0 stars · Quality score 73How quality works
Included packs
2 packs