GHSA-6q65-j4jw-9cg8: DotVVM allows path traversal when deployed in Debug mode

June 19, 2025

There is a path traversal vulnerability in any DotVVM application started in Debug mode, if at least one resource with the FileResourceLocation has been added. The vulnerability allows an attacker to read arbitrary files from the filesystem accessible by the web application (i.e. appsettings.json or other files containing secrets).

References

github.com/advisories/GHSA-6q65-j4jw-9cg8
github.com/riganti/dotvvm
github.com/riganti/dotvvm/commit/68db0110beeda4e8e4be1b7c4e480ef876895bb5
github.com/riganti/dotvvm/security/advisories/GHSA-6q65-j4jw-9cg8

Code Behaviors & Features

Detect and mitigate GHSA-6q65-j4jw-9cg8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →