Unicode characters that get normalized into path traversal characters
12
12
12This vector performs normalization and compares to see if the characters get normalized into path traversal characters
Created byhackvertor
Created Dec 12, 2024
Updated May 28, 2025
Detecting browser...
CategoryJavaScript Syntax
VisibilityPublic
TypeJS
CharsetUTF-8
Code used before fuzz:
const charsToCheck = ["\\","/","."];0x0D
const normalizationForms = ["NFKC", "NFC", "NFD", "NFKD"];Template used:
$[i] > 0x7f && normalizationForms.forEach(form => {0x0D
const normalized = String.fromCodePoint($[i]).normalize(form);0x0D
for(let charToCheck of charsToCheck) {0x0D
if(charToCheck === normalized) {0x0D
log(String.fromCodePoint($[i])+"("+form+")"+"="+charToCheck);0x0D
}0x0D
}0x0D
})Sample payloads
0 > 0x7f && normalizationForms.forEach(form => {0x0D
const normalized = String.fromCodePoint(0).normalize(form);0x0D
for(let charToCheck of charsToCheck) {0x0D
if(charToCheck === normalized) {0x0D
alert(String.fromCodePoint(0)+"("+form+")"+"="+charToCheck);0x0D
}0x0D
}0x0D
})Fuzz results
Chrome 144.0.0.0 desktop Windows NT 10.0
Updated31 Jan 2026
Found 12 results
Loading...
Chrome 141.0.0.0 desktop macOS 10.15.7older version
Updated29 Oct 2025
Found 12 results
Loading...
Firefox 147.0 desktop Linux
Updated1 Feb 2026
Found 12 results
Loading...
Firefox 139.0 desktop macOS 10.15older version
Updated31 May 2025
Found 12 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated30 Jan 2026
Found 12 results
Loading...