Vulnerability Report: GO-2022-0470

CVE-2022-31022, GHSA-9w9f-6mg8-jp7w
Affects: github.com/blevesearch/bleve, github.com/blevesearch/bleve/v2
Published: Jul 15, 2022
Modified: Jun 11, 2025

HTTP handlers provide unauthenticated access to the local filesystem. The Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.

Affected Packages

Path

Go Versions

Symbols
github.com/blevesearch/bleve/http

all versions, no known fixed
11 affected symbols
github.com/blevesearch/bleve/v2/http

before v2.5.0
11 affected symbols

Aliases

CVE-2022-31022
GHSA-9w9f-6mg8-jp7w

References

https://github.com/blevesearch/bleve/commit/1c7509d6a17d36f265c90b4e8f4e3a3182fe79ff
https://vuln.go.dev/ID/GO-2022-0470.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL