GHSA-vvmv-wrvp-9gjr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vvmv-wrvp-9gjr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-vvmv-wrvp-9gjr/GHSA-vvmv-wrvp-9gjr.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-vvmv-wrvp-9gjr
- Aliases
- Related
- Published
- 2024-07-15T17:46:57Z
- Modified
- 2024-07-15T21:38:34Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- @jmondi/url-to-png contains a Path Traversal vulnerability
- Details
-
Summary
When trying to add a
BLOCK_LISTfeature when the maintainer noticed they didn't sanitize theImageIdin the code, which leads to path traversal vulnerability. Now, this is different from a traditional path traversal issue, because as of NOW you can store the image in any place arbitrarily, and given enough time they might be able to come up with a working exploit BUT for the time being they am reporting this.Details
@jmondi/url-to-png does not sanitizing the
ImageIDas in not removing special chars from the params (extractqueryparams.ts#l75)const imageId = dateString + "." + slugify(validData.url) +configToString(params);This when fed to other parts of the code such as (filesystem.ts#L34)
return path.join(this.storagePath, imageId) + ".png";Would result in path traversal issue.
PoC
# Configuration for filesystem storage provider (optional) STORAGE_PROVIDER=filesystem IMAGE_STORAGE_PATH=pocSet this in your
.envfile and use this as your payload.http://localhost:3089/?url=http://example.com&width=400&isDarkMode=../../../../../../../../../../../../tmp/hackThis will create a
.pngfile in the/tmpsection of the system.Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6
This is valid for pretty much all the arguments (except for numeric values)
A simple fix would be to use the
slugifyfor the params as well like so (#L75)- const imageId = dateString + "." + slugify(validData.url) + configToString(params); + const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params));Impact
This would be path traversal vulnerability which allows arbitrary write as of now.
- Database specific
{ "nvd_published_at": "2024-07-15T20:15:04Z", "cwe_ids": [ "CWE-22" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-07-15T17:46:57Z" }- References
-
- https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-vvmv-wrvp-9gjr
- https://nvd.nist.gov/vuln/detail/CVE-2024-39918
- https://github.com/jasonraimondi/url-to-png/commit/e4eaeca6493b21cd515b582fd6c0af09ede54507
- https://github.com/jasonraimondi/url-to-png
- https://github.com/jasonraimondi/url-to-png/blob/e43098e0af3a380ebc044e7f303a83933b94b434/src/middlewares/extract_query_params.ts#L75
- https://github.com/jasonraimondi/url-to-png/releases/tag/v2.1.2
Affected packages
npm / @jmondi/url-to-png
Package
- Name
- @jmondi/url-to-png
- View open source insights on deps.dev
- Purl
- pkg:npm/%40jmondi/url-to-png