Severity: high

Directory Traversal



A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root. This allows for a remote attacker to gain access to arbitrary files on the filesystem that the process has access to read.

Mitigating factors: Only files that the user running lactate has permission to read will be accessible via this vulnerability.

Proof of concept: Please globally install the lactate package and cd to a directory you wish to serve assets from. Next, run lactate -p 8081 to start serving files from this location.

The following cURL request can be used to demonstrate this vulnerability by requesting the target /etc/passwd file:

curl ""


As there is currently no fix for this issue selecting an alternative static web server would be the best choice.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. reported

    Initial report by Yasin Soliman (ysx)
    Jan 23rd, 2018
  2. published

    Advisory published
    Jan 23rd, 2018