Skip to content

Path traversal Vulnerability in https://github.com/warren-bank/node-serve

High
warren-bank published GHSA-fvgx-74rr-6hpq Jun 7, 2024

Package

warren-bank/node-serve/ (https://github.com/warren-bank/node-serve/)

Affected versions

< 130002.18.6

Patched versions

130002.18.6

Description

Due to incorrect usage of path.join, https://github.com/warren-bank/node-serve is vulnerable to Local File Inclusion vulnerability.
You can read more about this vulnerability and its side effects here: https://cwe.mitre.org/data/definitions/22.html

The vulnerable code is at ./lib/serve/bin/serve.js file, which you can access online via: https://raw.githubusercontent.com/warren-bank/node-serve/HEAD/lib/serve/bin/serve.js
If any of path.join arguments is a relative path to the parent directory (../), the returned path can be outside the intended directory and this might lead to leakage of sensitive files.

Running the project:
We installed the dependencies using yarn install, and then used node command to run the file node ./lib/serve/bin/serve.js

Verified proof-of-concept(poc) to read passwd file(Path traversal vulnerability):

curl --path-as-is server_address:port/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

By default, running the vulnerable file opens a port in the network scope. Thus the Attack Vector (AV) of CVSS is: (N)etwork

Impact:
We've calculated the base score of the vulnerability as 7.5, with a severity of "High" using following the following vector_string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
You can view the CVSS score online via: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Mitigation:
We also prepared a patch, which we believe is secure against this attack. Patch file content:

@@ -3060,0 +3061,7 @@
+    if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) {
+        response.statusCode = 403;
+        response.end();
+        return;
+    }
+    
+    if (compress) {

You can apply the patch by using the patch command:

patch --fuzz=3 --ignore-whitespace --verbose "./lib/serve/bin" -i patchfile.patch

This patch is generated with the help of AI, we verified it's working but still we recommend you verify that it correctly mitigates the bug and doesn't hurt the functionality of your software.

Credits: Jafar Akhoundali and Hamidreza Hamidi

Feedback:
We would like to know your opinion about the quality of this report by filling a really brief survey with 4 questions:
https://leidenuniv.eu.qualtrics.com/jfe/form/SV_4JkS2loxBXVDlum

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

No known CVE

Weaknesses

Credits