High SeverityA01:2021 - Broken Access ControlCWE-22

How to Fix Path Traversal in FastAPI

Learn how to prevent and fix Path Traversal vulnerabilities in FastAPI applications. Step-by-step guide with code examples, security checklists, and best practices.

What Is Path Traversal?

Path Traversal (also known as directory traversal or dot-dot-slash attacks) is a vulnerability that allows attackers to read, and sometimes write, arbitrary files on the server by manipulating file path references. The attack uses special characters like `../` (parent directory) to navigate outside the intended directory.

For example, if an application serves files from `/app/uploads/` based on user input, an attacker might request `../../../etc/passwd` to read the system's password file. The vulnerability occurs when applications use user-supplied input to construct file paths without proper validation or sandboxing.

In Node.js applications, path traversal can occur in: file upload/download handlers that use user-supplied filenames; static file serving that does not properly restrict the base directory; template rendering that accepts user-controlled template paths; and API routes that read configuration files based on user input. Next.js API routes and server components that handle file operations are potential attack surfaces.

Why It Matters

Path traversal can expose the entire server filesystem to an attacker. Sensitive files that might be accessed include application source code, configuration files with database credentials and API keys, environment files (.env), private keys and certificates, user-uploaded data belonging to other users, and operating system files. If write access is also possible, attackers can overwrite configuration files, inject malicious code, or create web shells. In containerized environments, path traversal might allow container escape if not properly sandboxed.

How to Fix It in FastAPI

Never use user-supplied input directly in file path construction. Use a whitelist of allowed filenames or identifiers that map to actual file paths. Resolve the final path using `path.resolve()` and verify it falls within the expected base directory. Strip or reject path traversal sequences (../, ..\, and URL-encoded variants). Use `path.basename()` to extract just the filename from user input. Implement chroot jails or use containerization to limit filesystem access. Set restrictive file system permissions -- the application should only have access to directories it needs. For file uploads, generate random filenames rather than using user-supplied names.

FastAPI-Specific Advice

Use Pydantic models for all request validation. FastAPI automatically validates requests against Pydantic schemas, but ensure all fields are properly typed.
Use SQLAlchemy ORM or parameterized queries with your database driver. Never use f-strings or string formatting in SQL queries.
Implement OAuth2 with JWT using FastAPI's built-in `OAuth2PasswordBearer` and proper token validation with `python-jose`.
Configure CORS middleware explicitly. Use `CORSMiddleware` with specific `allow_origins` rather than wildcards in production.

FastAPI Security Checklist for Path Traversal

Audit all file system operations that use user-supplied input

Resolve file paths and verify they fall within the expected base directory

Use path.basename() to extract filenames from user input

Reject paths containing traversal sequences (../, ..\)

Generate random filenames for uploaded files rather than using user-supplied names

Set restrictive file system permissions on the application's directories

Run SafeVibe's path traversal scan on your FastAPI application

FastAPI Security Best Practices

Use Pydantic models for all request validation. FastAPI automatically validates requests against Pydantic schemas, but ensure all fields are properly typed.

Use SQLAlchemy ORM or parameterized queries with your database driver. Never use f-strings or string formatting in SQL queries.

Implement OAuth2 with JWT using FastAPI's built-in `OAuth2PasswordBearer` and proper token validation with `python-jose`.

Configure CORS middleware explicitly. Use `CORSMiddleware` with specific `allow_origins` rather than wildcards in production.

Use `python-dotenv` for environment variables and never hardcode secrets. Keep `.env` files out of version control.

Implement rate limiting using `slowapi` or a reverse proxy. FastAPI does not include built-in rate limiting.

Use `UploadFile` type for file uploads with validation of content type and file size. Process files securely.

Avoid using `pickle.loads()` or `yaml.load()` on untrusted data. Use `json.loads()` for deserialization of user input.

Scan Your FastAPI App with SafeVibe

Stop guessing if your FastAPI app is vulnerable to Path Traversal. Run an automated penetration test in minutes and get actionable results.

Start Free Scan

Related Guides

Path Traversal in Other Frameworks

Express Django Ruby on Rails Laravel

View all Path Traversal guides

More FastAPI Security Guides

SQL Injection Insecure Direct Object References (IDOR)Broken Authentication Security Misconfiguration

View all FastAPI guides

What Is Path Traversal?

Why It Matters

How to Fix It in FastAPI

FastAPI-Specific Advice

Use Pydantic models for all request validation. FastAPI automatically validates requests against Pydantic schemas, but ensure all fields are properly typed.
Use SQLAlchemy ORM or parameterized queries with your database driver. Never use f-strings or string formatting in SQL queries.
Implement OAuth2 with JWT using FastAPI's built-in `OAuth2PasswordBearer` and proper token validation with `python-jose`.
Configure CORS middleware explicitly. Use `CORSMiddleware` with specific `allow_origins` rather than wildcards in production.