IPX Allows Path Traversal via Prefix Matching Bypass

Description

The approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison.

Recommendation

Update the ipx package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 3.0.0, < 3.1.1

  >= 2.0.0-0, < 2.1.1

  < 1.3.2**

• Patched version(s): **3.1.1

  2.1.1

  1.3.2**

References

• GHSA-mm3p-j368-7jcr
• CVE-2025-54387
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal - CVE-2026-35570
• Feathers has an origin validation bypass via prefix matching - CVE-2026-27192
• hemmelig allows SSRF Filter bypass via Secret Request functionality - CVE-2025-69206
• Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching - CVE-2026-46341

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

ipx