Path Traversal in WellKnownServlet in jgraph/drawio


Reported on

May 14th 2022


The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read.

        String uri = request.getRequestURI().replace("/.", "/");

        if (uri.toLowerCase().contains(".json"))

        // Serve whatever was requested from .well-known
        try (InputStream in = getServletContext().getResourceAsStream(uri))
            if (in == null)
            byte[] buffer = new byte[8192];
            int count;

            while ((count = > 0)
                response.getOutputStream().write(buffer, 0, count);

Proof of Concept

Access the following URL (replace <host> with the actual host of the web application).


This will disclose the contents of appengine-web.xml:

<?xml version="1.0" encoding="utf-8"?>
<appengine-web-app xmlns="">


  <!-- Configure java.util.logging -->
    <property name="java.util.logging.config.file" value="WEB-INF/"/>

  <!-- Path patterns not supported in production -->
    <include path="/**">
      <http-header name="Referrer-Policy" value="strict-origin"/>
      <http-header name="Access-Control-Allow-Origin" value="*"/>
      <http-header name="X-XSS-Protection" value="1; mode=block"/>
      <http-header name="X-Content-Type-Options" value="nosniff"/>

  <!-- App engine has conflicting interfaces for javax.cache.CacheManager -->
    <priority-specifier filename="cache-api-1.1.1.jar"/>


Read local files of the web application.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 2 years ago
David Benson validated this vulnerability 2 years ago
Tobias S. Fink has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson
2 years ago

Maintainer will be the fix

David Benson marked this as fixed in 18.0.5 with commit 01ccb2 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Tobias S. Fink
2 years ago


Ok, looks good.

to join this conversation