Miggo Logo

CVE-2014-6394: Directory Traversal in send

7.5

CVSS Score

Basic Information

EPSS Score
0.89047%
Published
10/24/2017
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
sendnpm< 0.8.40.8.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how root path normalization and comparison were handled in SendStream's pipe method. The original code normalized the root without a trailing separator (normalize(root)), then checked if the requested path started with this root. This allowed paths like '/public-restricted' to match '/public' due to partial prefix matching. The fix adds a trailing separator to the root during normalization (normalize(root + sep)), ensuring exact directory boundary matching. The code changes in lib/send.js and associated test cases in the commit confirm this was the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions *.*.* *n* **rli*r o* `s*n*` *r* *****t** *y * *ir**tory tr*v*rs*l vuln*r**ility. W**n r*lyin* on t** root option to r*stri*t *il* ****ss it m*y ** possi*l* *or *n *ppli**tion *onsum*r to *s**p* out o* t** r*stri*t** *ir**tory *n* ****ss *il*

Reasoning

T** vuln*r**ility st*ms *rom *ow root p*t* norm*liz*tion *n* *omp*rison w*r* **n*l** in S*n*Str**m's `pip*` m*t*o*. T** ori*in*l *o** norm*liz** t** root wit*out * tr*ilin* s*p*r*tor (`norm*liz*(root)`), t**n ****k** i* t** r*qu*st** p*t* st*rt** wit