Miggo Logo

CVE-2019-5438: Unauthorized File Access in harp

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.44968%
Published
6/13/2019
Updated
9/7/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
harpnpm< 0.40.30.40.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The security patches add symlink validation checks to the process middleware in lib/middleware.js. The first commit (51cfb247) directly modifies exports.process to add lstat/readlink checks, indicating this was the vulnerable entry point that previously served files without validation. Subsequent commits refactor the check into dedicated middleware, but the core vulnerability existed in the file processing flow handled by exports.process prior to these mitigations. This function would appear in runtime profiles when serving malicious symlinks as it's the main asset pipeline handler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `**rp` *r* vuln*r**l* to Un*ut*oriz** *il* ****ss. I* * symlink in t** proj**t's **s* *ir**tory points to * *il* outsi** o* t** *ir**tory, t** *il* is s*rv**. T*is *oul* *llow *n *tt**k*r to ****ss s*nsitiv* *il*s on t** s*rv*r. ##

Reasoning

T** s**urity p*t***s *** symlink `v*li**tion` ****ks to t** `pro**ss` mi**l*w*r* in `li*/mi**l*w*r*.js`. T** *irst *ommit (********) *ir**tly mo*i*i*s `*xports.pro**ss` to *** `lst*t/r***link` ****ks, in*i**tin* t*is w*s t** vuln*r**l* *ntry point t*