Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yanE1LXc0N3gteDM1Oc4AA4oP
@hono/node-server cannot handle "double dots" in URL
Impact
Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.
In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request will be in the resolved path.
const req = new Request('http://localhost/static/../foo.txt') // Web-standards
console.log(req.url) // http://localhost/foo.txt
However, the url in our Request does not resolve double dots, so http://localhost/static/.. /foo.txt is returned.
const req = new Request('http://localhost/static/../foo.txt')
console.log(req.url) // http://localhost/static/../foo.txt
It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using serveStatic.
Note: Modern web browsers and a latest curl command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them.
Patches
"v1.4.1" includes the change to fix this issue.
Workarounds
Don't use serveStatic.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yanE1LXc0N3gteDM1Oc4AA4oP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-rjq5-w47x-x359, CVE-2024-23340
References:
- https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359
- https://nvd.nist.gov/vuln/detail/CVE-2024-23340
- https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402
- https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45
- https://github.com/advisories/GHSA-rjq5-w47x-x359
Blast Radius: 8.1
Affected Packages
npm:@hono/node-server
Dependent packages: 4Dependent repositories: 34
Downloads: 412,271 last month
Affected Version Ranges: >= 1.3.0, < 1.4.1
Fixed in: 1.4.1
All affected versions: 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0
All unaffected versions: 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.4.1, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.11.0, 1.11.1