CVE-2024-23340 – @hono/node-server

Package

Manager: npm
Name: @hono/node-server
Vulnerable Version: >=1.3.0 <1.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00335 pctl0.55658

Details

@hono/node-server cannot handle "double dots" in URL ### Impact Since v1.3.0, we use our own Request object. This is great, but the `url` behavior is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. ```ts const req = new Request('http://localhost/static/../foo.txt') // Web-standards console.log(req.url) // http://localhost/foo.txt ``` However, the `url` in our Request does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. ```ts const req = new Request('http://localhost/static/../foo.txt') console.log(req.url) // http://localhost/static/../foo.txt ``` It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using `serveStatic`. Note: Modern web browsers and a latest `curl` command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them. ### Patches "v1.4.1" includes the change to fix this issue. ### Workarounds Don't use `serveStatic`.

Metadata

Created: 2024-01-23T14:42:51Z
Modified: 2024-01-23T14:42:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-rjq5-w47x-x359/GHSA-rjq5-w47x-x359.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-rjq5-w47x-x359
Finding: F063
Auto approve: 1