Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2024-23340
Good to know:
Date: January 22, 2024
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with "url" behavior that is unexpected. In the standard API, if the URL contains "..", here called "double dots", the URL string returned by Request will be in the resolved path. However, the "url" in @hono/node-server's Request as does not resolve double dots, so "http://localhost/static/.. /foo.txt" is returned. This causes vulnerabilities when using "serveStatic". Modern web browsers and a latest "curl" command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use "serveStatic".
Language: TYPE_SCRIPT
Severity Score
Related Resources (6)
Severity Score
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22Top Fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | NONE |
| Availability (A): | NONE |