Home > Vulnerability Database > CVE-2024-49770

Mend.io Vulnerability Database

CVE-2024-49770

Good to know:

Date: November 1, 2024

"oak" is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default "oak" does not allow transferring of hidden files with "Context.send" API. However, prior to version 17.1.3, this can be bypassed by encoding "/" as its URL encoded form "%2F". For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.

Language: JS

Severity Score

7.5

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-49770

Url: https://github.com/oakserver/oak

Url: https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125

Url: https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25

Url: https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m

Url: https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209

Url: https://www.mend.io/vulnerability-database/CVE-2024-49770

Severity Score

7.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Path Traversal: '.../...//'

CWE-35

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-49770

Good to know:

Date: November 1, 2024

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?