CVE-2023-39584
HIGH7.5EPSS 4.7%Hexo `include_code` has a path traversal
Published: 9/8/2023Modified: 9/5/2025
Also known as:GHSA-x2jc-989c-47q4
Description
Hexo up to v7.1.1 was discovered to contain an arbitrary file read vulnerability.
Affected packages (1)
- npm/hexofrom 0, < 7.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-39584
- PATCHhttps://github.com/hexojs/hexo
- WEBhttps://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49
- WEBhttps://github.com/hexojs/hexo/blob/cefee921153ba597316457f4fedf7b87b6516917/lib/plugins/tag/include_code.ts#L50
- WEBhttps://github.com/hexojs/hexo/commit/b5b63caee27256d71a0cee8954c22375ec885d07
- WEBhttps://github.com/hexojs/hexo/issues/5250
- WEBhttps://github.com/hexojs/hexo/pull/5251