skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 26, 2020

GHSL-2020-073: Path traversal in Jooby - CVE-2020-7647

Alvaro Munoz


A Path Traversal vulnerability was identified in Jooby which allows an attacker to access arbitrary classpath resources including .properties and .class files.



Tested Version



Patched versions: 1.6.7 and 2.8.2


Arbitrary classpath resource access

When exposing a file system directory such as in:

assets("/static/**", Paths.get("static"));

Jooby uses the following code in AssetHandler.loader() to access the file:

  private static Loader loader(final Path basedir, final ClassLoader classloader) {
    if (Files.exists(basedir)) {
      return name -> {
        Path path = basedir.resolve(name).normalize();
        if (Files.exists(path) && path.startsWith(basedir)) {
          try {
            return path.toUri().toURL();
          } catch (MalformedURLException x) {
            // shh
        return classloader.getResource(name);
    return classloader::getResource;

However, if the file does not exist or the normalized name is outside of Jooby’s base directory, the classpath is also searched in classloader.getResource().

An attacker can access a URL such as http://server/static/WEB-INF/web.xml which will make Jooby search the <base directory>/static path for the referenced file. If this is not found, the classpath will be searched for /WEB-INF/web.xml instead and its contents will be returned. This way an attacker can access any configuration file or even the application class files.

Note that even if assets are configured for a certain extension, it is still possible to bypass this, e.g.:

assets("/static/**/*.js", Paths.get("static"));

In this case, an attacker can access io.yiss.App bytecode by sending:


. This vulnerability also affects assets configured to access resources from the root of the class path, e.g.:


In this case we can traverse /static using:



This issue may lead to Classpath Resource Disclosure (Information Disclosure).


Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.



This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at Please include GHSL-2020-073 in any communication regarding this issue.