Path Traversal Affecting @hono/node-server package, versions >=1.3.0 <1.4.1


Severity

0.0
medium
0
10

    Threat Intelligence

    EPSS
    0.05% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-HONONODESERVER-6184775
  • published 25 Jan 2024
  • disclosed 23 Jan 2024
  • credit Unknown

How to fix?

Upgrade @hono/node-server to version 1.4.1 or higher.

Overview

@hono/node-server is a Node.js Adapter for Hono

Affected versions of this package are vulnerable to Path Traversal via the serveStatic function. An attacker can access restricted directories on the server by crafting a URL that includes directory traversal characters such as "..".

Note: Modern web browsers and a latest curl command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them.

CVSS Scores

version 3.1
Expand this section

Snyk

5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

5.3 medium