Login Sign Up

CVE-2024-22050

7.5 HIGH
Path Traversal

📋 TL;DR

CVE-2024-22050 is a path traversal vulnerability in Iodine's static file service that allows unauthenticated remote attackers to read files outside the designated public folder by crafting malicious URLs. This affects all systems running Iodine versions below 0.7.33 that serve static files.

💻 Affected Systems

Products:
  • Iodine web framework
Versions: All versions less than 0.7.33
Operating Systems: All operating systems running Iodine
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using Iodine's static file serving functionality. Applications not serving static files are not vulnerable.

📦 What is this software?

Iodine by Boazsegev

View all CVEs affecting Iodine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files like /etc/passwd, configuration files, or source code, potentially leading to credential theft, privilege escalation, or further attacks.

🟠

Likely Case

Unauthorized access to application files, configuration data, or other sensitive information stored on the server outside the public directory.

🟢

If Mitigated

Limited impact if proper file permissions restrict access to sensitive files, but still exposes directory structure and accessible files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Path traversal vulnerabilities are commonly exploited and require minimal technical skill. No public exploit code is needed as the vulnerability is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.33

Vendor Advisory: https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3

Restart Required: Yes

Instructions:

1. Update Iodine gem to version 0.7.33 or higher using 'gem update iodine'. 2. Restart the Iodine application server. 3. Verify the update with 'iodine --version'.

🔧 Temporary Workarounds

Disable static file serving

all

Remove or disable Iodine's static file serving functionality if not required

Modify Iodine configuration to not serve static files

Use reverse proxy with path validation

all

Place Iodine behind a reverse proxy (nginx, Apache) that validates and sanitizes URL paths

Configure reverse proxy to filter malicious path traversal patterns

🧯 If You Can't Patch

  • Implement strict file system permissions to limit what files Iodine process can access
  • Deploy web application firewall (WAF) rules to block path traversal patterns in URLs

🔍 How to Verify

Check if Vulnerable:

Check Iodine version with 'iodine --version' or examine Gemfile.lock for iodine gem version below 0.7.33

Check Version:

iodine --version

Verify Fix Applied:

Confirm version is 0.7.33 or higher and test with path traversal attempts that should be blocked

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../', '..\', or other path traversal patterns in URLs
  • Unusual file access patterns from web requests

Network Indicators:

  • HTTP requests with encoded path traversal sequences (%2e%2e%2f, etc.)

SIEM Query:

source="web_logs" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2024-22050
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: January 4, 2024
Last Updated: November 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22050, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)