Listen to this Post
The vulnerability exists within the `router.go` file of the esm.sh service. Specifically, the code handling the `X-Zone-Id` HTTP header during a POST request to the `/transform` endpoint uses the header’s value to construct a filesystem path without proper sanitization. The value is appended to a base directory path. An attacker can supply a header value containing path traversal sequences, such as ../../. During path concatenation, these sequences are not neutralized, causing the resulting absolute path to resolve to a location outside the intended base storage directory. This allows arbitrary file write primitives, where the application writes a file to an attacker-specified location on the filesystem instead of the confined storage area.
Platform: esm.sh
Version: (pre-patch)
Vulnerability: Path Traversal
Severity: Medium
date: 2024-05-22
Prediction: 2024-06-05
What Undercode Say:
curl -X POST http://localhost:8888/transform \
-H "X-Zone-Id: ../../modules/transform/attacker_id/" \
-H "Content-Type: application/json" \
-d '{"filename":"poc.js","code":"malicious_code"}'
// Vulnerable code snippet from router.go L411
zoneID := r.Header.Get("X-Zone-Id")
storagePath := filepath.Join(baseDir, zoneID, filename)
How Exploit:
Path traversal via X-Zone-Id header.
Protection from this CVE
Sanitize input, restrict path traversal.
Impact:
Arbitrary file write, potential RCE.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

