CVE-2022-35920 is a medium-severity path traversal vulnerability affecting the Sanic web server/framework, an open-source Python framework widely used for building asynchronous web applications. The vulnerability arises from improper limitation of pathnames to restricted directories (CWE-22) when serving static files via the `app.static` method. Specifically, the affected versions of Sanic (versions >= 22.0.0 and < 22.6.1, >= 21.0.0 and < 21.12.2, and all versions below 20.12.7) fail to correctly handle encoded URL characters, notably the encoded forward slash `%2F`. This allows an attacker to craft specially encoded URLs that bypass directory restrictions and access lateral directories adjacent to the intended static directory. Notably, parent directory traversal (i.e., using `../`) is not impacted, limiting the scope of traversal to lateral directories only. The vulnerability does not require authentication or user interaction to exploit, but it does require that the Sanic application is configured to serve static content via `app.static`. There are no known exploits in the wild at this time, and no workaround exists other than upgrading to a patched version of Sanic (versions 22.6.1, 21.12.2, or later). This vulnerability could allow unauthorized disclosure of files outside the intended static directory, potentially exposing sensitive information or configuration files if present in lateral directories accessible to the web server process. The issue stems from insufficient sanitization and validation of URL-encoded input paths when resolving static file requests, which is a common web security concern but requires careful handling in asynchronous frameworks like Sanic.

For European organizations using Sanic to serve static content, this vulnerability could lead to unauthorized information disclosure. Attackers could retrieve files from lateral directories, which may include sensitive configuration files, credentials, or internal documentation, depending on the server's directory structure and permissions. This could compromise confidentiality and potentially aid further attacks such as privilege escalation or lateral movement within the network. While the vulnerability does not allow parent directory traversal, lateral directory access still poses a significant risk if sensitive files are stored in sibling directories. The impact is heightened in sectors with strict data protection requirements, such as finance, healthcare, and government, where exposure of sensitive data could lead to regulatory penalties under GDPR and damage to reputation. Since Sanic is popular for high-performance asynchronous Python applications, organizations relying on it for web services or APIs may face service disruption if attackers exploit this flaw to access or leak critical files. However, the lack of known exploits and the medium severity rating suggest the immediate risk is moderate but should not be underestimated given the potential for information leakage.

Upgrade Sanic to a patched version: specifically, versions 22.6.1, 21.12.2, or later, which address this vulnerability. Review and restrict the directory structure used for serving static files to ensure no sensitive files reside in lateral directories accessible to the web server process. Implement strict access controls and file permissions on the server to limit the web server's read access only to necessary directories. Use web application firewalls (WAFs) with custom rules to detect and block requests containing encoded path traversal sequences such as '%2F'. Audit and sanitize all user inputs and URLs, especially those used in static file serving, to prevent exploitation of encoding-based bypasses. Monitor web server logs for suspicious requests containing encoded characters or unusual access patterns to lateral directories. Consider isolating static content serving to dedicated subdomains or containers with minimal privileges to reduce the blast radius of any potential exploitation.