CVE-2020-36559: 
vulnerability analysis and mitigation

Due to improper sanitization of user input, HTTPEngine.Handle in aahframe.work versions before 0.12.4 contains a directory traversal vulnerability that allows attackers to read files outside of the target directory that the server has permission to read. The vulnerability was discovered and reported on March 3, 2020, affecting the static file delivery functionality of the framework (Go Vuln DB, GitHub Issue).

The vulnerability exists in the HTTPEngine.Handle function where user input for file paths was not properly sanitized before being used to access files. This allowed attackers to use path traversal sequences to access files outside the intended directory structure. The issue was fixed in version 0.12.4 by implementing proper path cleaning using path.Clean() on the request URL path (GitHub PR).

An attacker could exploit this vulnerability to read arbitrary files that the server process has permission to access, potentially exposing sensitive information outside of the intended web root directory (Go Vuln DB).

Users should upgrade to aahframe.work version 0.12.4 or later which includes the fix for this vulnerability. The fix implements proper path sanitization using path.Clean() on the request URL path to prevent directory traversal attempts (GitHub Commit).