GHSA-rjq5-w47x-x359: @hono/node-server cannot handle "double dots" in URL

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-23340

@hono/node-server cannot handle “double dots” in URL

Moderate severity GitHub Reviewed Published Jan 21, 2024 in honojs/node-server • Updated Jan 23, 2024

Package

npm @hono/node-server (npm)

Affected versions

>= 1.3.0, < 1.4.1

Impact

Since v1.3.0, we use our own Request object. This is great, but the url behavior is unexpected.

In the standard API, if the URL contains …, here called "double dots", the URL string returned by Request will be in the resolved path.

const req = new Request(‘http://localhost/static/…/foo.txt’) // Web-standards console.log(req.url) // http://localhost/foo.txt

However, the url in our Request does not resolve double dots, so http://localhost/static/… /foo.txt is returned.

const req = new Request(‘http://localhost/static/…/foo.txt’) console.log(req.url) // http://localhost/static/…/foo.txt

It will pass unresolved paths to the web application. This causes vulnerabilities like #123 when using serveStatic.

Note: Modern web browsers and a latest curl command resolve double dots on the client side, so it does not affect you if the user uses them. However, problems may occur if accessed by a client that does not resolve them.

Patches

“v1.4.1” includes the change to fix this issue.

Workarounds

Don’t use serveStatic.

References

• GHSA-rjq5-w47x-x359
• https://nvd.nist.gov/vuln/detail/CVE-2024-23340
• honojs/node-server@dd9b9a9
• https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45

Published to the GitHub Advisory Database

Jan 23, 2024

Last updated

Jan 23, 2024