CVE-2024-49770 HIGH

CVE-2024-49770: oak's path traversal allows transfer of hidden files within the served root directory

Vendor Oakserver
Product oak
Weakness CWE-35
Published November 1, 2024
Last update November 1, 2024

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.

Key dates

02Disclosure timeline

November 1, 2024 CVE published
November 1, 2024 Record updated