Plateforme
nodejs
Composant
path-sanitizer
Corrigé dans
3.1.1
3.1.0
CVE-2024-56198 describes a path traversal vulnerability discovered in the path-sanitizer npm package. This vulnerability allows attackers to bypass the intended sanitization filters, potentially leading to unauthorized access to files and directories on the system. The vulnerability affects versions prior to 3.1.0 and can be exploited through crafted payloads. A fix has been released in version 3.1.0.
The path-sanitizer package is designed to sanitize file paths, preventing malicious users from accessing sensitive files or executing arbitrary code. However, CVE-2024-56198 demonstrates that the sanitization logic can be bypassed. An attacker can craft payloads, such as ..=%5c, to escape the sanitization filters and traverse the file system. This could allow them to read sensitive configuration files, source code, or even execute arbitrary code if the application uses the unsanitized path to interact with the file system. The potential impact is significant, particularly in applications that rely on this package for security.
This vulnerability was publicly disclosed on January 2, 2025. A proof-of-concept (PoC) demonstrating the bypass has been published, making exploitation relatively straightforward. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The ease of exploitation combined with the widespread use of npm packages increases the potential for exploitation.
Applications that utilize the path-sanitizer package for file path sanitization are at risk. This includes web applications, backend services, and any Node.js projects that rely on this package to prevent path traversal vulnerabilities. Shared hosting environments where multiple applications share the same Node.js installation are particularly vulnerable.
• nodejs / supply-chain:
npm list path-sanitizer• nodejs / supply-chain:
npm audit path-sanitizer• generic web:
curl -I 'https://example.com/path/to/file..=%5c' # Check for directory traversaldisclosure
Statut de l'Exploit
EPSS
0.60% (percentile 69%)
CISA SSVC
The primary mitigation for CVE-2024-56198 is to upgrade the path-sanitizer package to version 3.1.0 or later. This version includes a fix for the bypass vulnerability. If upgrading is not immediately feasible, consider implementing additional input validation on the application side to ensure that file paths are properly sanitized before being used. WAF rules can also be implemented to block requests containing suspicious path traversal payloads. Specifically, look for patterns like ..=%5c or other URL-encoded path traversal sequences. After upgrading, confirm the fix by attempting to access files outside of the intended directory using a crafted payload.
Mettez à jour le paquet path-sanitizer à la version 3.1.0 ou supérieure. Cela résoudra la vulnérabilité de traversal de chemin. Exécutez `npm install path-sanitizer@latest` ou `yarn upgrade path-sanitizer` pour mettre à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-56198 is a critical vulnerability in the path-sanitizer npm package allowing attackers to bypass sanitization filters and potentially access files on the system.
You are affected if you are using a version of path-sanitizer prior to 3.1.0. Check your project dependencies to determine if you are vulnerable.
Upgrade the path-sanitizer package to version 3.1.0 or later. Implement additional input validation as a secondary defense.
While there are no confirmed reports of active exploitation, the availability of a public PoC increases the risk of exploitation.
Refer to the npm advisory and the path-sanitizer GitHub repository for updates and information related to this vulnerability.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.