CVE-2022-45921 is a directory traversal vulnerability affecting versions of FusionAuth prior to 1.41.3. FusionAuth is an identity and access management platform used to handle authentication and authorization services. This vulnerability allows an unauthenticated remote attacker to craft a specially formed HTTP request that can retrieve arbitrary files outside the application root directory. Specifically, the attacker can access any file readable by the user account under which the FusionAuth process runs. This is a classic directory traversal issue (CWE-22), where insufficient input validation or sanitization enables traversal sequences (e.g., ../) to escape the intended directory boundaries. The vulnerability has a CVSS 3.1 base score of 7.5 (high severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). Exploiting this flaw can lead to unauthorized disclosure of sensitive files such as configuration files, credentials, or other sensitive data accessible to the FusionAuth process user. Although no known exploits are reported in the wild, the ease of exploitation and the potential impact on confidentiality make this a significant risk for organizations using vulnerable FusionAuth versions. The vulnerability was published on November 28, 2022, and fixed in version 1.41.3. No official patch links were provided in the source data, but upgrading to the fixed version is the primary remediation.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on FusionAuth for critical identity and access management functions. Unauthorized file disclosure could expose sensitive configuration files, private keys, database credentials, or personally identifiable information (PII) of users, leading to data breaches and compliance violations under GDPR. The exposure of authentication-related files could facilitate further attacks such as privilege escalation or lateral movement within networks. Organizations in sectors with stringent data protection requirements—such as finance, healthcare, and government—face heightened risks. Additionally, the compromise of identity management systems undermines trust and can disrupt business operations. Since the vulnerability requires no authentication or user interaction and can be exploited remotely, the attack surface is broad, increasing the likelihood of exploitation if systems remain unpatched. The lack of known exploits in the wild does not reduce the urgency, as public disclosure may prompt attackers to develop exploits.

1. Immediate upgrade of FusionAuth installations to version 1.41.3 or later, where the vulnerability is patched. 2. If immediate upgrade is not feasible, implement network-level controls such as web application firewalls (WAFs) with custom rules to detect and block directory traversal patterns in HTTP requests targeting FusionAuth endpoints. 3. Restrict file system permissions for the user running the FusionAuth process to the minimum necessary, ensuring it cannot read sensitive files outside the application scope. 4. Monitor FusionAuth logs for suspicious HTTP requests containing traversal sequences or unusual file access patterns. 5. Conduct regular security audits and penetration testing focused on identity management systems to detect similar vulnerabilities. 6. Employ segmentation and isolation of identity management infrastructure to limit exposure in case of compromise. 7. Educate security teams about this vulnerability to ensure rapid response and patch management. 8. Review and harden configuration files and credentials stored on the FusionAuth host to minimize sensitive data exposure.