CVE-2024-24828
Path Traversal vulnerability in pkg (npm)
What is CVE-2024-24828 About?
This path traversal vulnerability in `StaticFiles` allows exposure of unauthorized files or directories that share a common name prefix with the `StaticFiles` directory. The impact is a breach of confidentiality as attackers can access sensitive information, and exploitation is relatively easy due to a flawed path handling function.
Affected Software
Technical Details
The vulnerability stems from the StaticFiles component's incorrect usage of os.path.commonprefix() instead of os.path.commonpath() for validating file paths. When a request path such as /static/../static1.txt is processed, os.path.commonprefix([full_path, directory]) incorrectly returns ./static as the common segment, treating static1.txt as being within the static directory due to character-by-character comparison rather than path component comparison. This allows an attacker to construct a URL that uses ../ sequences to traverse out of the intended static file directory and access arbitrary files or directories on the server that have a name prefix in common with the StaticFiles directory, such as static1.txt or static_disallow. This misinterpretation of the path effectively bypasses security controls, granting unauthorized access to sensitive files.
What is the Impact of CVE-2024-24828?
Successful exploitation may allow attackers to obtain sensitive files and confidential information that should not be publicly accessible, leading to a breach of confidentiality.
What is the Exploitability of CVE-2024-24828?
Exploitation is relatively straightforward and requires no specific authentication or elevated privileges. An attacker can remotely exploit this by crafting a malicious URL that includes path traversal sequences (e.g., ../). The complexity is low, as it primarily involves URL manipulation. No special conditions or complex prerequisites are required beyond the application using StaticFiles with the vulnerable os.path.commonprefix() implementation. The presence of files or directories on the server that, by chance, share a common name prefix with the StaticFiles directory significantly increases the likelihood and impact of exploitation, as these become easily discoverable and accessible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-24828?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/pkg
- https://nvd.nist.gov/vuln/detail/CVE-2024-24828
- https://nodejs.org/api/single-executable-applications.html
- https://nodejs.org/api/single-executable-applications.html
- https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54
- https://osv.dev/vulnerability/GHSA-22r3-9w55-cj54
- https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54
What are Similar Vulnerabilities to CVE-2024-24828?
Similar Vulnerabilities: CVE-2021-41773 , CVE-2021-42013 , CVE-2020-8197 , CVE-2023-46387 , CVE-2022-35914
