BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
FIX SOON No patch yet
High impact vulnerability.
No patch available yet. Apply workarounds and monitor.

Shitrix

Directory traversal leading to remote code execution

Severity CVSS CRITICAL 9.8
Exploitation Shoulder No known exploits
Fix available Unknown
CVE-2019-19781

Should I care?

This matters if:
  • Apps serving files or reading paths from user input
  • File upload endpoints
Not relevant if:
  • No file operations use user-supplied paths
  • All paths are resolved against a fixed root

How it breaks apps

1 User input used in file path
2 Path traversal escapes root
3 Attacker reads arbitrary files
4 Sensitive data exposure

Is this in your code?

Shoulder scans your codebase and tells you if CVE-2019-19781 is reachable — not just present.

npx @shoulderdev/cli trust .
Technical details

Risk by Environment

Production (public-facing) HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only LOW
Minimal risk in isolated dev environments.

AI Development Risk

This vulnerability pattern is commonly introduced when AI generates code.

CWE-22
Path traversal
LLMs tend to construct file paths from user input without proper canonicalization or sandboxing.

Detection Rules 6 rules

CWE-22 6 rules

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Path Traversal via File Operations
Zip Slip / Path Traversal in Archive
Path Traversal in File Operations

External References

NVD View on NVD →
MITRE View on MITRE →
Back to Ecosystem Intelligence Browse CWE Index