Home

Description

The Takes web framework's TkFiles take thru 2.0-SNAPSHOT fails to canonicalize HTTP request paths before resolving them against the filesystem. A remote attacker can include ../ sequences in the request path to escape the configured base directory and read arbitrary files from the host system.

PUBLISHED Reserved 2025-12-08 | Published 2025-12-19 | Updated 2025-12-19 | Assigner mitre

References

github.com/yegor256/takes

github.com/..._cve_report/blob/main/CVE-2025-66905_report.md

cve.org (CVE-2025-66905)

nvd.nist.gov (CVE-2025-66905)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.