fix(server): Uncontrolled data used in path expression#1101
fix(server): Uncontrolled data used in path expression#1101cure53 merged 1 commit intocure53:mainfrom odaysec:patch-1
Conversation
|
Not a vulnerability, the CVE was created by the "finder" without any coordination and should be deleted. |
|
@cure53 When can we expect a release of this patch ? NexusIQ scans flagging this as a high finding. |
|
It's an invalid finding, the CVE was revoked last week. |
|
@cure53 CVE-2025-48050 is reported. Is this fixed now? |
|
This was never a valid finding, however we will release 3.2.6. soon for other reasons. The CVE was released without coordination, and we had to clean that mess up. Please direct any feedback to @odaysec who decided to file the non-sense CVE and thereby cause all the kerfuffle. |
|
Hello. I would like to reproduce the vulnerability in order to proove it presence. I can not go out of filename = path.join(process.cwd(), uri);When I do It stops the path of ../ at the currrent directory. and when I do: it does not directly goes to /etc/password I debugged with: Can I have the full path please @odaysec ? |
|
it sounds to be parser with I am going to read the parser and then I will tell you. |
|
It is done! I tested! Exploit fully functional. Sorry for blaming @odaysec . exploit coming to publish in the next seconds. |
|
Just copy and past this: nc localhost 8000
GET /../../../../../etc/passwd HTTP/1.1
Host: localhost
The 2 next lines are importants :) The browser change the url itself... We have to use netcat. |
|
I also have to ensure it is not my client side GET ../ ... that did everything. |
|
Wonderfull! Just do |
|
Thank you very much to @odaysec for the reliable exploit. @cure53 Thank you also to you for organizing the release (or advice for). You sound much more experienced than us. I did not found the self intro in the commits from @cure53 itself. Might be not deservable for a CVE but if he says he founds his own mistake, it is already a great source of interest for people who want to see how vulns appear in the wild. I am not experienced in CVE publication. Does someone knows where is the proof in commit history that @odaysec has introduced the vuln please? I am also curious. |
|
I am very confused with the commit where OdaySec has introduced the vulnerability. I did: And did not found no more. |
|
@cure53 I am also very confused. Do you think he did not found? |
5 participants
DOMPurify/scripts/server.js
Line 36 in 166151c
To fix the issue, we need to ensure that the constructed file path is safe and does not allow access to files outside the intended directory. This can be achieved by:
path.resolveto remove any..segments.fs.realpathSyncto resolve symbolic links.process.cwd()).If the resolved path does not start with the root directory, the request should be rejected with an appropriate HTTP status code (e.g., 403 Forbidden).
Accessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.
POC
In the first (bad) the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing "../" segments to navigate outside the root folder and access sensitive files.
The second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any "../" segments in the process. Then, the code calls
fs.realpathSyncto resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.References
Path Traversal
sanitize-filename package
CWE-22
CWE-23
CWE-36
CWE-73
CWE-99
Dependencies