esmsh, Path Traversal, CVE-2024-43604 (Medium)

Listen to this Post

The vulnerability exists within the `router.go` file of the esm.sh service. Specifically, the code handling the `X-Zone-Id` HTTP header during a POST request to the `/transform` endpoint uses the header’s value to construct a filesystem path without proper sanitization. The value is appended to a base directory path. An attacker can supply a header value containing path traversal sequences, such as ../../. During path concatenation, these sequences are not neutralized, causing the resulting absolute path to resolve to a location outside the intended base storage directory. This allows arbitrary file write primitives, where the application writes a file to an attacker-specified location on the filesystem instead of the confined storage area.
Platform: esm.sh
Version: (pre-patch)
Vulnerability: Path Traversal
Severity: Medium

date: 2024-05-22

Prediction: 2024-06-05

What Undercode Say:

curl -X POST http://localhost:8888/transform \
-H "X-Zone-Id: ../../modules/transform/attacker_id/" \
-H "Content-Type: application/json" \
-d '{"filename":"poc.js","code":"malicious_code"}'
// Vulnerable code snippet from router.go L411
zoneID := r.Header.Get("X-Zone-Id")
storagePath := filepath.Join(baseDir, zoneID, filename)

How Exploit:

Path traversal via X-Zone-Id header.

Protection from this CVE

Sanitize input, restrict path traversal.

Impact:

Arbitrary file write, potential RCE.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top