Platform
nodejs
Component
@oakserver/oak
Fixed in
17.1.4
14.1.1
CVE-2024-49770 describes a Path Traversal vulnerability discovered in the @oakserver/oak Node.js framework. This flaw allows attackers to bypass intended restrictions on accessing hidden files by exploiting an unexpected behavior in the decodeComponent function. Versions of @oakserver/oak prior to 17.1.3 are affected, and upgrading is the recommended solution.
The vulnerability lies in how @oakserver/oak handles URL-encoded characters when transferring files. By default, the framework prevents access to hidden files. However, an attacker can circumvent this protection by encoding the forward slash / as %2F in the URL. This allows them to potentially access files and directories that should be protected, including sensitive configuration files, source code, or other data stored on the server. Successful exploitation could lead to unauthorized disclosure of information and potentially further compromise of the system.
This vulnerability was publicly disclosed on 2024-11-01. While no active exploitation campaigns have been publicly reported, the availability of a relatively straightforward bypass technique increases the likelihood of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge given the ease of exploitation.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-49770 is to upgrade to version 17.1.3 or later of @oakserver/oak. This version includes a fix that addresses the flawed decodeComponent behavior. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing URL-encoded forward slashes (%2F) in file paths. Additionally, review and restrict file permissions to minimize the potential impact of unauthorized access. After upgrading, confirm the fix by attempting to access a hidden file using a URL containing %2F – access should be denied.
Actualice la dependencia `oak` a la versión 17.1.3 o superior. Esto corregirá la vulnerabilidad de path traversal que permite el acceso a archivos ocultos. Ejecute `npm update oak` o `yarn upgrade oak` para actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-49770 is a Path Traversal vulnerability in @oakserver/oak that allows attackers to bypass hidden file restrictions by URL encoding / as %2F, potentially exposing sensitive data.
Yes, if you are using @oakserver/oak versions less than or equal to 14.1.0, you are affected by this vulnerability.
Upgrade to version 17.1.3 or later of @oakserver/oak to remediate the vulnerability. Consider WAF rules as a temporary workaround.
While no active exploitation campaigns have been publicly reported, the ease of exploitation suggests a potential risk.
Refer to the @oakserver/oak project's repository and release notes for the official advisory and details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.