| Version | Phase | End of Bugfix Support |
|---|---|---|
| Flysystem 3 | Supported | Not specified yet |
Flysystem 2 and earlier have reached End-of-Life.
FYI: There is no bug-bounty program.
If you believe you have found a security vulnerability in Flysystem, please report it to me through coordinated disclosure.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please email info+flysystem@frankdejonge.nl.
Please include as much of the information listed below as you can to help me better understand and resolve the issue:
- The type of issue
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help me triage your report more quickly.
If you used an AI assistant (LLM, coding agent, or similar) to find, reproduce, or write up the issue, please say so and describe how it was used. This does not disqualify a report, but it changes how I triage it.
Path traversal attacks for the root path should not occur. Under standard configurations, using the security features Flysystem ships an attacker should not be able to escape out of the configured root path through path traversal attacks.
Root paths are configured at the adapter level. Any path inside the root path can resolve relative paths. Breaking out of a sub-directory is NOT considered a vulnerability. If you wish to prevent path traversal attacks, configure the appropriate root path or disable relative path traveral.
When relative path traversal is disabled, any relative path traversal IS be considered a vulnerability.
Relative path resolution is enabled by default and can be disabled by setting the allow_relative_path_traversal
configuration option on the Filesystem instance to false or by passing a PathNormalizer instance configured to
reject relative path traversal.
use League\Flysystem\Filesystem;use League\Flysystem\WhitespacePathNormalizer;
$filesystem = new Filesystem(
$adapter,
[
'allow_relative_path_traversal' => false,
]
);
$filesystem = new Filesystem(
$adapter,
[],
new WhitespacePathNormalizer(allowRelativePathTraversal: false),
);Important
Note that, passing a PathNormalizer instance takes precedence over the allow_relative_path_traversal configuration
option. If the configuration option is set to false but the configured PathNormalizer instance does not reject
relative path traversal, path traversal attacks are still possible. This is considered a faulty configuration and is
not considered a security vulnerability.