CVE-2026-40254

import os # Simulates the vulnerable logic in FreeRDP's contains_dotdot() def vulnerable_check(path): # The original code checks for substrings "../" or "..\\" # It fails to catch ".." at the end of a path component. if "../" in path or "..\\" in path: return False # Blocked return True # Allowed # Attack Scenario: Malicious server requests a file path # The attacker wants to access the parent directory of the shared folder. # Shared folder is at '/home/user/shared', attacker wants '/home/user'. payloads = [ "normal_file.txt", "../../etc/passwd", # Standard traversal, usually caught "subfolder/..", # The specific bypass case: .. at the end "subfolder/../secret.txt" # Caught because of trailing slash after .. ] print(f"{'Payload':<25} | {'Vulnerable Check':<18} | {'Status'}") print("-" * 60) for p in payloads: is_allowed = vulnerable_check(p) status = "ALLOWED (VULNERABLE)" if is_allowed and ".." in p else ("BLOCKED" if ".." in p else "ALLOWED (Safe)") print(f"{p:<25} | {str(is_allowed):<18} | {status}")

{"cve": {"id": "CVE-2026-40254", "sourceIdentifier": "[email protected]", "published": "2026-04-24T03:16:11.373", "lastModified": "2026-04-27T17:44:02.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-193"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.25.0", "matchCriteriaId": "290894D9-8CE7-4908-ACED-2E467A3D2B36"}]}]}], "references": [{"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}