Miggo Logo

CVE-2018-3729: Path Traversal in localhost-now

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.72984%
Published
7/25/2018
Updated
3/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
localhost-nownpm< 1.0.21.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how user-supplied URL paths were handled in the HTTP request handler. The pre-patch code in lib/app.js directly used req.url to build a filesystem path without adequate sanitization. The critical line 'const file = url === '/' ? '/index.html' : url' allowed attackers to inject path traversal sequences. The commit diff shows the fix added a regex replacement (/(\.\.\/[\\\/])+/g, '') to neutralize traversal attempts, confirming the original function's vulnerability. The fs.readFile call with user-controlled input is the direct vector for exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `lo**l*ost-now` ***or* *.*.* *r* vuln*r**l* to p*t* tr*v*rs*l. T*is *llows * r*mot* *tt**k*r to r*** t** *ont*nt o* *n *r*itr*ry *il*. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility st*ms *rom *ow us*r-suppli** URL p*t*s w*r* **n*l** in t** *TTP r*qu*st **n*l*r. T** pr*-p*t** *o** in `li*/*pp.js` *ir**tly us** `r*q.url` to *uil* * *il*syst*m p*t* wit*out ***qu*t* s*nitiz*tion. T** *riti**l lin* '*onst *il* = ur