FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal...

4.2 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Description

FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.

Basic Information

ID CVE-2026-40254

Source GitHub_M

Published Apr 24, 2026 at 02:24

Affected Product

Vendor FreeRDP

Product FreeRDP

Version < 3.25.0

Affected Versions FreeRDP FreeRDP < 3.25.0

CWE Classification

CWE-193

References

github.com /FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx

{
    "lastseen": "",
    "description": "FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in `channels/drive/client/drive_file.c`. The `contains_dotdot()` function catches `../` and `..\\` mid-path but misses `..` when it's the last component with no trailing separator. A rogue RDP server can read, list, or write files one directory above the client's shared folder through RDPDR requests. This requires the victim to connect with drive redirection enabled. Version 3.25.0 patches the issue.",
    "published": "2026-04-24T02:24:50.794Z",
    "modified": "2026-04-24T02:24:50.794Z",
    "type": "cve",
    "title": "FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal ..",
    "source": "GitHub_M",
    "references": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx",
    "id": "CVE-2026-40254",
    "bulletinFamily": "",
    "cwe": [
        "CWE-193"
    ],
    "cvelist": null,
    "sourceData": "FreeRDP FreeRDP < 3.25.0",
    "sourceHref": "",
    "cvss": {
        "score": 4.2,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FreeRDP",
    "version": "< 3.25.0",
    "vendor": "FreeRDP",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal .._CVE-2026-40254