Miggo Logo

CVE-2017-16018: Cross-Site Scripting (XSS) in restify

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.45009%
Published
11/9/2018
Updated
9/12/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
restifynpm>= 2.0.0, <= 4.0.44.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how restify's router handles non-existent URLs. The key change in commit a015067 shows:

  1. In lib/router.js, the original error response construction used raw req.url containing query parameters
  2. The patched version explicitly extracts pathname via url.parse() to remove dangerous query components
  3. The Router.prototype.find method is the execution path that processes unmatched routes and generates 404 responses
  4. At runtime, this function would appear in stack traces when handling malicious requests to non-existent endpoints
  5. The vulnerable version passes user-controlled req.url directly to error message formatting without sanitization

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `r*sti*y` *r* sus**pti*l* to * *ross-sit* s*riptin* vuln*r**ility w**n usin* URL *n*o*** s*ript t**s in * non-*xist*nt URL. ## Proo* o* *on**pt: R*qu*st ``` *ttps://lo**l*ost:****/no*_su***_*il**.pl?%**%**%**s*ript%***l*rt(****

Reasoning

T** vuln*r**ility st*ms *rom *ow r*sti*y's rout*r **n*l*s non-*xist*nt URLs. T** k*y ***n** in *ommit ******* s*ows: *. In li*/rout*r.js, t** ori*in*l *rror r*spons* *onstru*tion us** r*w r*q.url *ont*inin* qu*ry p*r*m*t*rs *. T** p*t**** v*rsion *xp