CVE-2014-6394
Directory traversal vulnerability in send (npm)
What is CVE-2014-6394 About?
The `send` package versions 0.8.3 and earlier are vulnerable to directory traversal. This allows an application consumer to bypass restrictions and access files outside of the intended root directory. Exploitation is relatively easy, requiring specific crafted paths.
Affected Software
Technical Details
The vulnerability in the send package (versions 0.8.3 and earlier) is a directory traversal flaw. When the root option is used to restrict file access to a specific directory (e.g., _dirname + '/public'), the validation mechanism for requested paths does not correctly sanitize or normalize paths. This allows an attacker to construct a request for a file in a similarly named directory (e.g., _dirname + '/public-restricted') by using specific path patterns that exploit a weakness in the path resolution logic, such as ../ sequences or encoded variations. By manipulating the requested path, an attacker can 'escape' the intended root directory and access files located elsewhere on the file system, provided the vulnerable directory naming convention exists.
What is the Impact of CVE-2014-6394?
Successful exploitation may allow attackers to read arbitrary files outside the intended web root, potentially leading to information disclosure or access to sensitive system files.
What is the Exploitability of CVE-2014-6394?
Exploitation of this directory traversal vulnerability is of low complexity. It typically requires no authentication or specific privileges, as it affects how file requests are handled by the send package. The attack is remote, involving an attacker crafting a malicious URL path to access restricted directories. The prerequisite is that the application uses the send package with the root option and has directories named in a way that allows the traversal to succeed (e.g., public and public-restricted). Risk factors include the application being publicly accessible and the existence of similarly named directories on the server.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-6394?
Available Upgrade Options
- send
- <0.8.4 → Upgrade to 0.8.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nodesecurity.io/advisories/send-directory-traversal
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
- https://nvd.nist.gov/vuln/detail/CVE-2014-6394
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140020.html
- https://support.apple.com/HT205217
- https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a
- https://osv.dev/vulnerability/GHSA-xwg4-93c6-3h42
- https://bugzilla.redhat.com/show_bug.cgi?id=1146063
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/139938.html
- http://www.securityfocus.com/bid/70100
What are Similar Vulnerabilities to CVE-2014-6394?
Similar Vulnerabilities: CVE-2018-8012 , CVE-2019-1002005 , CVE-2020-13941 , CVE-2021-39145 , CVE-2014-2321
