Path Traversal Vulnerability Discovered In Impacket: CVE-2021-31800 / CX-2021-4793


Severity: 9.9 - Critical Severity

Advisory Timeline Summary
Impacket prior to version 0.9.23 is vulnerable to Path Traversal.


Impacket prior to 0.9.23


If the vulnerability is exploited, an attacker could write files to any location on the affected computer. This could be elevated to an RCE in a variety of ways depending on the environment and the operating system.

Steps To Reproduce

  1. For a full and detailed reproduction see: Checkmarx Research Blogpost

Expected Result:

Files should only be listed and written to the intended work directory.


This issue was fixed in version 0.9.23 through the commit.


Attack Vector: Network

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Changed

Confidentiality: High

Integrity: High

Availability: High


This issue was discovered and reported by Checkmarx Security Researcher Omri Inbar.


  1. Commit (cae2031)