Known Issue: FME Flow Unauthenticated Arbitrary File Download via Directory Traversal Vulnerability

Liz Sanderson
Liz Sanderson
  • Updated

FME Version

  • FME 2022.2
CVE Known Issue ID Vulnerability Product(s) Affected Version(s) Affected Platform Mitigation
Pending FMEFLOW-18626 Directory traversal vulnerability FME Flow (formerly FME Server) FME Server versions prior to 2022.2 All platforms except Linux Upgrade to FME Server 2022.2+ or FME Flow (formerly FME Server) 2023.0+
FME Server versions prior to 2022.0 Linux Upgrade to FME Server 2022.0+ or FME Flow (formerly FME Server) 2023.0+
Pending FMEFLOW-20800
Unauthenticated file download vulnerability FME Flow
FME Flow Hosted (formerly FME Cloud)
All FME Server versions All platforms See available Workarounds

FME Flow Hosted (formerly FME Cloud) instances are not affected by the directory traversal vulnerability, as its use of NGINX as a reverse proxy blocks the directory traversal attack vector. However, FME Flow Hosted instances are still vulnerable to the unauthenticated file download issue.
We have not identified active exploitation of this vulnerability in any of our products.


This vulnerability is comprised of two parts:

  • Directory traversal vulnerability
  • Unauthenticated file download vulnerability

FME Flow (formerly FME Server)

Both vulnerabilities, if exploited, allow for an attacker with access to connect to an FME Flow web server, including over the internet, to download arbitrary files. This can include FME Flow related files such as license keys, server configurations, and web server logs, but also any file located on the same drive as the FME Flow engine results.

FME Flow Hosted (formerly FME Cloud)

FME Flow Hosted instances are only affected by the unauthenticated file download vulnerability and not the directory traversal vulnerability. In a successful attack, only files under the data download directory are subject to the unauthenticated download.


The vulnerability exploits a weakness in an unauthenticated web path and uses an encoded directory traversal technique to evade being blocked by FME Flow filtering.


Safe Software assesses the severity of the vulnerabilities together as Medium, according to our calculated CVSS score of 5.0. We believe the exploitability of the unauthenticated file download vulnerability on FME Flow Hosted instances, which are exposed to the internet, is higher. This is our assessment, and you should evaluate its applicability to your own IT environment.


Upgrade to FME Server 2022.2 or FME Flow 2023.0 or newer, where the directory traversal issue has been resolved. See the Downloads page for the latest version and our documentation for upgrading instructions. If you need assistance upgrading, please contact one of our Partners


In addition to upgrading to FME Server 2022.2+ or FME Flow 2023.0+, we recommend the following workarounds to mitigate the unauthenticated arbitrary file download risk. 

This workaround is effective on FME Flow as well as FME Flow Hosted instances:

  • Remove the ‘Services > Data Download’ permission from User Accounts and Roles, to prevent FME Workspaces being run with the Data Download service.

The following workarounds are applicable to FME Flow only:

  • For the System Cleanup configuration, shorten the interval from the default of 1 day.
  • For the System Cleanup task “Delete_EngineResults_Files”, decrease the value of the ‘Remove Files Older Than’ parameter (e.g. to hours instead of the default 1 day).



We would like to thank Malware Security for making this responsible disclosure and recognize their contribution to increasing the security standard of the FME Platform.

Reporting Security Issues

If you believe you have discovered a vulnerability in the FME Platform, our website, or our other products, please email us as quickly as possible at security at safe dot com.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and better protect our users.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities.


If you have questions or concerns regarding this advisory, please raise a support request

Was this article helpful?



Please sign in to leave a comment.