CVE Catalog

CVE-2026-50568

LowCVSS 3.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile — higher than 2% of all known CVEs

Summary

Fission is a serverless framework that operates on Kubernetes and had a vulnerability in path validation prior to version 1.25.0. The SanitizeFilePath function did not properly check directory boundaries, allowing access to unsafe directories.

Risk Assessment

The organization may be exposed to unauthorized data access if users can control sibling directories in the shared volume. This could lead to data leakage or unauthorized writes.

Recommendation

It is recommended to upgrade Fission to version 1.25.0 or later to mitigate this vulnerability. Additionally, conducting an audit of directory permissions in the Kubernetes environment is advisable.

Original NVD description (English source)

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder's Clean handler (pkg/builder/builder.go:208) and the fetcher's Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder's shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS