CVE-2022-29590 - PowerShell Universal Published Folder Escape

PowerShell Universal

April 21, 2022

quote Discuss this Article

This blog post details the vulnerability CVE-2022-29590 in PowerShell Universal.

Table of Contents


Directory traversal in Published Folders in Ironman Software’s PowerShell Universal version 1.0.0 through 3.0.0-beta3 can allow a remote attacker to access arbitrary files on the remote system by using an HTTP web request.

CVSS - High 8.6

We have determined that this vulnerability scores high (8.6) on the Common Vulnerability Scoring System.

Vector String:


Affected Versions

Affects versions 1.0.0 through 3.0.0-beta3 (all previously published versions).

Affected Configurations

Customers without Published Folders configured are not exposed to this vulnerability. Customers with unauthenticated Published Folders risk unauthenticated remote attackers accessing any file on the system. Customers with authenticated Published Folders risk authenticated remote attackers accessing any file on the system.


We encourage users to disable published folders or upgrade to a patched version. All downloads can be found on our downloads page.

The following version numbers contain the fix for this issue.

Root Cause

The root cause is due to invalid path handling in the Published Folder component. Due to the way that paths were combined, it is possible to pass an absolute path to the published folder endpoint to access any file on the system that the PowerShell Universal server account has access to.

For example, you could configure a Published Folder like this.

New-PSUPublishedFolder -Path C:\test -RequestPath "/test" 

An attacker could then craft a request with an absolute path to download files outside of the published folder. This example downloads taskmgr.exe from the System32 directry.

Invoke-WebRequest http://localhost:5000/test/C:/Windows/System32/taskmgr.exe -OutFile taskmgr.exe


Vulnerability Response Policy

We encourage all customers and security researchers to work with us when vulnerabilities are identified or suspected. You can find more information about our policy here.