Executive Summary

This vulnerability is a path traversal issue in the p2r3 convert project's buildCache.js file, specifically in the Bun.serve function. It occurs because the server takes a pathname from a request URL, removes a prefix, and then directly uses this path to access files without properly validating or normalizing it.

An attacker can exploit this by injecting directory traversal sequences (like ../) into the pathname, allowing them to access files outside the intended directory (dist). This means unauthorized files such as configuration files, source code, or other sensitive system files could be accessed remotely.

The vulnerability arises from improper sanitization of user-supplied path parameters and lack of path normalization or boundary checks in the server code.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files on the server. Attackers can remotely access files outside the intended directory, such as configuration files (package.json, tsconfig.json, .env), source code, or other sensitive system files depending on server permissions.

Such unauthorized access can expose sensitive information that may be used for further attacks, compromise system integrity, or leak confidential data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests that attempt path traversal sequences to the vulnerable server endpoint and observing if files outside the intended directory are returned.

A suggested command to test for this vulnerability is using curl with the --path-as-is flag to prevent client-side normalization and attempt to access sensitive files outside the intended directory.

• curl --path-as-is http://localhost:8080/convert/../../package.json

If the server responds with the contents of files like package.json, tsconfig.json, or .env located outside the /dist directory, it confirms the presence of the path traversal vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves implementing path normalization and validation to ensure that requested paths do not escape the intended directory.

Specifically, use Node.js path utilities such as join, resolve, and normalize to resolve absolute paths and verify that the resolved path starts with the root directory path.

If a path traversal attempt is detected (i.e., the resolved path does not start with the root directory), the server should respond with a 403 Forbidden status.

Example code fix to mitigate the vulnerability:

• import { join, resolve, normalize } from "path";
• const requestedPath = new URL(req.url).pathname.replace("/convert/", "") || "index.html";
• const rootDir = resolve(__dirname, "dist");
• const targetPath = resolve(rootDir, normalize(requestedPath));
• if (!targetPath.startsWith(rootDir)) { return new Response("Forbidden", { status: 403 }); }
• const file = Bun.file(targetPath);

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized disclosure of sensitive files through path traversal, potentially exposing configuration files, source code, and other sensitive system files.

Such unauthorized data exposure can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive and personal data from unauthorized access.

If sensitive personal or health-related information is stored or accessible via the affected system, this vulnerability could result in data breaches that violate these regulations.

Useful 0 Not Useful 0