CVE-2023-26111
Directory Traversal vulnerability in node-static (npm)
What is CVE-2023-26111 About?
The node-static and @nubosoftware/node-static libraries are vulnerable to directory traversal due to improper file path sanitization. This allows attackers to access arbitrary files outside the intended directory, potentially leading to information disclosure or further compromise. Exploitation is relatively straightforward given the specific flaw.
Affected Software
- node-static
- <=0.7.11
- @nubosoftware/node-static
- <=0.7.11
Technical Details
The vulnerability in node-static and @nubosoftware/node-static stems from improper file path sanitization within the startsWith() method of the servePath function. Specifically, when handling incoming file requests, the servePath function fails to correctly validate or strip directory traversal sequences (e.g., ../) from user-supplied paths. An attacker can craft a URL containing these sequences, allowing the application to resolve and serve files located outside of the intended root directory, potentially accessing sensitive system files.
What is the Impact of CVE-2023-26111?
Successful exploitation may allow attackers to read arbitrary files on the server, including configuration files, source code, and sensitive data, leading to information disclosure and potential further system compromise.
What is the Exploitability of CVE-2023-26111?
Exploitation is of low to moderate complexity, typically requiring only the ability to send HTTP requests to the vulnerable server. No authentication is generally required, as web servers often serve static files unauthenticated. Privilege requirements are low, as the vulnerability affects how file paths are resolved. This is a remote vulnerability, as attackers can trigger it via specially crafted URLs over a network. The primary special condition is that the application must be serving files using the affected node-static library. The lack of proper input validation on file paths significantly increases the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26111?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
- https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc
- https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927
- https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163
- https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc
- https://github.com/cloudhead/node-static/blob/master/lib/node-static.js#23L160-L163
- https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
- https://nvd.nist.gov/vuln/detail/CVE-2023-26111
- https://osv.dev/vulnerability/GHSA-5g97-whc9-8g7j
- https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927
What are Similar Vulnerabilities to CVE-2023-26111?
Similar Vulnerabilities: CVE-2021-41277 , CVE-2022-29007 , CVE-2020-13936 , CVE-2023-38887 , CVE-2023-49633
