Platform
nodejs
Component
@vendure/asset-server-plugin
Fixed in
2.3.4
3.0.1
2.3.3
CVE-2024-48914 describes a critical path traversal vulnerability discovered in the Vendure Asset Server Plugin. This flaw allows attackers to access arbitrary files on the server, potentially exposing sensitive configuration data, environment variables, and other critical information. The vulnerability impacts versions of the plugin prior to 2.3.3, and a fix has been released. Exploitation is achieved by crafting malicious requests that bypass file system access controls.
The impact of this vulnerability is significant. An attacker can leverage it to retrieve sensitive data directly from the server's file system. This includes configuration files containing database credentials, API keys, and other secrets. Environment variables, which often store sensitive information like database passwords or external service tokens, are also at risk. Successful exploitation could lead to complete compromise of the Vendure instance, enabling attackers to steal data, modify configurations, or even gain remote code execution if the retrieved files contain exploitable code. The ability to read arbitrary files represents a severe breach of confidentiality and integrity.
This vulnerability was publicly disclosed on 2024-10-15. A proof-of-concept (POC) demonstrating the path traversal has been published, making exploitation relatively straightforward. The vulnerability's ease of exploitation and the potential for significant data exposure suggest a medium to high probability of exploitation. It is not currently listed on CISA KEV as of this writing, but its severity warrants close monitoring. The provided POC highlights the simplicity of exploiting the flaw.
Exploit Status
EPSS
92.50% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-48914 is to immediately upgrade the Vendure Asset Server Plugin to version 2.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting access to the /assets endpoint using a Web Application Firewall (WAF) or proxy server to block requests containing path traversal sequences (e.g., ../). Carefully review and harden file system permissions to limit the potential impact of a successful attack. Monitor access logs for suspicious requests targeting the /assets endpoint. After upgrading, confirm the fix by attempting the provided POC (curl --path-as-is http://localhost:3000/assets/../package.json) and verifying that it no longer returns the contents of arbitrary files.
Update Vendure to version 2.3.3 or higher, or to version 3.0.5 or higher. Alternatively, use object storage instead of the local file system (e.g. MinIO or S3). You can also define a middleware that detects and blocks requests with URLs containing `/../`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-48914 is a critical path traversal vulnerability in the Vendure Asset Server Plugin allowing attackers to access arbitrary files on the server.
You are affected if you are using a version of the Vendure Asset Server Plugin prior to 2.3.3.
Upgrade the Vendure Asset Server Plugin to version 2.3.3 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While active exploitation is not confirmed, a public POC exists, increasing the likelihood of exploitation.
Refer to the Vendure security advisory for detailed information and updates: [https://vendure.io/blog/security-advisory-cve-2024-48914](https://vendure.io/blog/security-advisory-cve-2024-48914)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.