Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-f6gv-hh8j-q8vq: Named path parameters can be overridden in TrieRouter

Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'

const wait = async (ms: number) => {
  return new Promise((resolve) => {
    setTimeout(resolve, ms)
  })
}

const app = new Hono({ router: new TrieRouter() })

app.use('*', async (c, next) => {
  await wait(Math.random() * 200)
  return next()
})

app.get('/modules/:id/versions/:version', async (c) => {
  const id = c.req.param('id')
  const version = c.req.param('version')

  console.log('path', c.req.path)
  console.log('version', version)

  return c.json({
    id,
    version,
  })
})

export default app

The client code which makes requests to the server application:

const examples = [
  'http://localhost:8787/modules/first/versions/first',
  'http://localhost:8787/modules/second/versions/second',
  'http://localhost:8787/modules/third/versions/third',
]

const test = () => {
  for (const example of examples) {
    fetch(example)
      .then((response) => response.json())
      .then((data) => {
        const splitted = example.split('/')
        const expected = splitted[splitted.length - 1]

        if (expected !== data.version) {
          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
        }
      })
  }
}

test()

The results:

Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

Patches

“v3.11.7” includes the change to fix this issue.

Workarounds

Don’t use TrieRouter directly.

// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })

References

Router options on the Hono website: https://hono.dev/api/hono#router-option

ghsa
#web#js#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-50710

Named path parameters can be overridden in TrieRouter

Moderate severity GitHub Reviewed Published Dec 14, 2023 in honojs/hono • Updated Dec 15, 2023

Affected versions

< 3.11.7

Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

import { Hono } from ‘hono’ import { TrieRouter } from ‘hono/router/trie-router’

const wait = async (ms: number) => { return new Promise((resolve) => { setTimeout(resolve, ms) }) }

const app = new Hono({ router: new TrieRouter() })

app.use('*’, async (c, next) => { await wait(Math.random() * 200) return next() })

app.get('/modules/:id/versions/:version’, async © => { const id = c.req.param(‘id’) const version = c.req.param(‘version’)

console.log('path’, c.req.path) console.log('version’, version)

return c.json({ id, version, }) })

export default app

The client code which makes requests to the server application:

const examples = [ 'http://localhost:8787/modules/first/versions/first’, 'http://localhost:8787/modules/second/versions/second’, 'http://localhost:8787/modules/third/versions/third’, ]

const test = () => { for (const example of examples) { fetch(example) .then((response) => response.json()) .then((data) => { const splitted = example.split(‘/’) const expected = splitted[splitted.length - 1]

    if (expected !== data.version) {
      console.error(\`Error: exprected ${expected} but got ${data.version} - url was ${example}\`)
    }
  })

} }

test()

The results:

Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

Patches

“v3.11.7” includes the change to fix this issue.

Workarounds

Don’t use TrieRouter directly.

// DON’T USE TrieRouter import { TrieRouter } from ‘hono/router/trie-router’ const app = new Hono({ router: new TrieRouter() })

References

Router options on the Hono website: https://hono.dev/api/hono#router-option

References

  • GHSA-f6gv-hh8j-q8vq
  • https://nvd.nist.gov/vuln/detail/CVE-2023-50710
  • honojs/hono@8e2b6b0
  • https://github.com/honojs/hono/releases/tag/v3.11.7

Published to the GitHub Advisory Database

Dec 15, 2023

Last updated

Dec 15, 2023

Related news

CVE-2023-50710: Named path parameters can be overridden in TrieRouter

Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the change to fix this issue. As a workaround, avoid using TrieRouter directly.