Miggo Logo
Miggo Vulnerability Database
CVE-2020-7681

CVE-2020-7681: Path Traversal in marscode

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7681
GHSA ID
GHSA-8pww-pp5r-rff8
EPSS Score
0.63642%
CWE
CWE-22
Published
5/7/2021
Updated
9/5/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
marscodenpm<= 1.0.1-0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly states there's no path sanitization in the fs.readFile call in index.js. Multiple sources (GitHub Advisory, NVD, Snyk) confirm the path parameter to fs.readFile is vulnerable to traversal attacks. The PoC demonstrates exploitation via crafted paths, directly implicating this function. No other functions are mentioned in the advisory materials.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsionsup to *n* in*lu*in* v*rsion *.*.*-* o* p**k*** m*rs*o**. T**r* is no p*t* s*nitiz*tion in t** p*t* provi*** *t `*s.r****il*` in `in**x.js`.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s t**r*'s no p*t* s*nitiz*tion in t** *s.r****il* **ll in in**x.js. Multipl* sour**s (*it*u* **visory, NV*, Snyk) *on*irm t** p*t* p*r*m*t*r to *s.r****il* is vuln*r**l* to tr*v*rs*l *tt**ks. T** Po* **mo