Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-rjq5-w47x-x359

Опубликовано: 23 янв. 2024
Источник: github
Github: Прошло ревью
CVSS3: 5.3

Описание

@hono/node-server cannot handle "double dots" in URL

Impact

Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.

In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path.

const req = new Request('http://localhost/static/../foo.txt') // Web-standards console.log(req.url) // http://localhost/foo.txt

However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.

const req = new Request('http://localhost/static/../foo.txt') console.log(req.url) // http://localhost/static/../foo.txt

It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using serveStatic.

Note: Modern web browsers and a latest curl command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them.

Patches

"v1.4.1" includes the change to fix this issue.

Workarounds

Don't use serveStatic.

Ссылки

Пакеты

Наименование

@hono/node-server

npm
Затронутые версииВерсия исправления

>= 1.3.0, < 1.4.1

1.4.1

EPSS

Процентиль: 48%
0.00246
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2024-23340

Дефекты

CWE-22

Связанные уязвимости

nvd логотип

CVE-2024-23340

CVSS3: 5.3
nvd
около 2 лет назад

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.

EPSS

Процентиль: 48%
0.00246
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2024-23340

Дефекты

CWE-22