Path Traversal in pokeapi/pokeapi


Reported on

Sep 9th 2021

✍️ Description

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The NGINX alias directive defines a replacement for the specified location.

The incorrect configuration of the alias could allow an attacker to read file stored outside the target folder.

In particular, the locations /graphql/console is configured to have aliases /public-console/, which the location doesn't ends with directory separator (/) in nginx configuration file nginx.conf.


Find all NGINX alias directives and make sure that the parent prefixed location ends with directory separator.

We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the pokeapi team and are waiting to hear back 2 years ago
Viky submitted a
2 years ago
pokeapi/pokeapi maintainer validated this vulnerability a year ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
pokeapi/pokeapi maintainer marked this as fixed in 2.3.0 with commit eb5b34 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
pokeapi/pokeapi maintainer
a year ago


The vulnerability wasn't disclosed directly with any member of PokeAPI.

For disclosure, read more here:

Next time, contact one fo the main contributors about it.

to join this conversation