CVE-2022-45969 – CVE-2022-45969 is a directory traversal vulnera... (How to Fix)

Q: What is the severity of CVE-2022-45969?

CVE-2022-45969 has a CVSS score of 9.8 (CRITICAL). CVE-2022-45969 is a directory traversal vulnerability in Alist v3.4.0 that allows attackers to access files outside the intended directory. This affects all users running the vulnerable version of Alist file listing software. Attackers can potentially read sensitive system files through improper path validation.

📋 TL;DR

CVE-2022-45969 is a directory traversal vulnerability in Alist v3.4.0 that allows attackers to access files outside the intended directory. This affects all users running the vulnerable version of Alist file listing software. Attackers can potentially read sensitive system files through improper path validation.

💻 Affected Systems

Products:

Alist

Versions: v3.4.0

Operating Systems: All platforms running Alist

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of Alist v3.4.0 are vulnerable regardless of configuration.

📦 What is this software?

Alist by Alistgo

View all CVEs affecting Alist →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading sensitive configuration files, credentials, or SSH keys leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive application files, configuration data, or user-uploaded content stored in adjacent directories.

🟢

If Mitigated

Limited impact with proper file permissions and network segmentation preventing access to critical system files.

🌐 Internet-Facing: HIGH - Directory traversal vulnerabilities in internet-facing applications are easily discoverable and exploitable.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to access sensitive files within the application environment.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Directory traversal vulnerabilities are trivial to exploit with basic HTTP requests using path traversal sequences like ../

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.5.0 and later

Vendor Advisory: https://github.com/alist-org/alist/issues/2449

Restart Required: Yes

Instructions:

1. Stop Alist service. 2. Backup configuration. 3. Update to v3.5.0 or later. 4. Restart Alist service.

🔧 Temporary Workarounds

Web Server Path Restriction

all

Configure web server (nginx/apache) to reject requests containing directory traversal sequences

# nginx example: location ~ \.\./ { deny all; }
# apache example: RewriteRule \.\./ - [F]

🧯 If You Can't Patch

Implement strict network segmentation to isolate Alist from sensitive systems
Apply strict file system permissions to limit accessible directories

🔍 How to Verify

Check if Vulnerable:

Test with curl: curl -v 'http://alist-server:port/api/path?path=../../../etc/passwd'

Check Version:

Check Alist web interface or run: alist version

Verify Fix Applied:

Attempt same traversal test after patch - should return error or empty response

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing ../ sequences
Access to unexpected file paths
403/404 errors for traversal attempts

Network Indicators:

HTTP requests with encoded traversal sequences (%2e%2e%2f)
Unusual file access patterns

SIEM Query:

web.url:*../* OR web.uri:*../*

📊 Metadata

CVE ID: CVE-2022-45969

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 1.21% exploit probability (78.6th percentile)

Published: December 15, 2022

Last Updated: February 13, 2026

🔗 References

https://github.com/alist-org/alist/issues/2449 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/alist-org/alist/issues/2449 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45969, you might also want to check these: