GHSA-7p7c-pvvx-2vx3: 
Rust vulnerability analysis and mitigation

A directory traversal vulnerability was discovered in hyper-staticfile, identified as GHSA-7p7c-pvvx-2vx3, affecting versions prior to 0.9.2 and version 0.10.0-alpha.1. The vulnerability was reported on November 29, 2022, and disclosed on December 5, 2022. The issue specifically impacts Windows systems, where improper validation of Windows paths could allow attackers to access arbitrary files on the filesystem (GitHub Advisory, RustSec Advisory).

The vulnerability stems from insufficient path validation in hyper-staticfile's path resolution mechanism. On Windows systems, the software failed to properly validate paths containing Windows drive letters, allowing requests like '/foo/bar/c:/windows/web/screen/img101.png' to access files from any location on the filesystem. This vulnerability is classified as CWE-22 and has been assigned a Moderate severity rating. The issue is specific to Windows environments, with Linux and other Unix-like systems remaining unaffected (GitHub Advisory, GitHub Issue).

The vulnerability enables attackers to potentially read files from anywhere on the filesystem of affected Windows systems. An attacker could access sensitive files by crafting specific URLs that include Windows drive letters, bypassing the intended directory restrictions (GitHub Advisory, RustSec Advisory).

The vulnerability has been patched in versions 0.9.2 and 0.10.0-alpha.2. The fix involves additional validation of path components to prevent malicious use of Windows drive letters. Users should upgrade to these patched versions to protect against potential exploits (GitHub Advisory, GitHub PR).