TinaCMS, Path Traversal, CVE-2024-32652 (Critical)

Listen to this Post

The TinaCMS CLI dev server, when running tinacms dev, starts a Vite development server with a critical misconfiguration. In the file packages/@tinacms/cli/src/next/vite/index.ts, the `server.fs.strict` option is explicitly set to false. This disables Vite’s built-in filesystem access restriction, which normally prevents serving files from outside the workspace root. Additionally, the server applies permissive CORS (cors() with no origin restrictions) and only intercepts specific routes (/media/, /graphql, etc.). Any request to a path not matching these routes is passed to Vite’s default static file handler, which resolves and serves the file directly from the absolute filesystem path. An unauthenticated attacker who can reach the dev server (commonly on port 4001) can exploit this to read arbitrary files readable by the server process. This includes sensitive files like /etc/passwd, SSH private keys, environment variables via /proc/self/environ, and cloud credentials. The vulnerability is especially dangerous in cloud IDEs (e.g., GitHub Codespaces) where ports are automatically forwarded and publicly accessible, or in misconfigured environments binding to 0.0.0.0. The issue affects all TinaCMS versions prior to 1.6.2 and was patched in versions 1.6.2 and 2.0.0.

dailycve form:

Platform: TinaCMS CLI
Version: Prior to 1.6.2
Vulnerability: Arbitrary File Read
Severity: Critical
date: 2024-04-16

Prediction: Patched in 1.6.2

What Undercode Say:

Analytics:

Critical vulnerability (CVSS 9.8) affecting all TinaCMS dev servers exposed to network. Thousands of cloud IDE instances potentially vulnerable. Exploitation requires no authentication and is trivial to execute.

Bash commands/codes:

Check if dev server is vulnerable
curl http://target:4001/etc/passwd
Read environment variables
curl http://target:4001/proc/self/environ
Read SSH private key
curl http://target:4001/home/user/.ssh/id_rsa
Vulnerable code snippet (from packages/@tinacms/cli/src/next/vite/index.ts)
server: {
host: configManager.config?.build?.host ?? false,
fs: {
strict: false, // Disables filesystem restriction
},
}

How Exploit:

  1. Identify a TinaCMS dev server running on port 4001 (default).
  2. Send a GET request to an absolute path like /etc/passwd.
  3. The request bypasses middleware and is handled by Vite’s static file server.
  4. The server reads the file from the host filesystem and returns its contents.
  5. Attacker can iteratively read any file the server process has access to.

Protection from this CVE:

  • Upgrade to TinaCMS >=1.6.2 or >=2.0.0.
  • If unable to upgrade, manually set `server.fs.strict: true` in the Vite config.
  • Ensure dev server is not exposed to untrusted networks (bind to localhost only).
  • In cloud IDEs, disable automatic port forwarding or restrict access via firewall.

Impact:

Complete compromise of host system secrets, including credentials, SSH keys, environment variables, and configuration files. Can lead to privilege escalation, lateral movement, and full account takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top