Miggo Logo

CVE-2020-7758: Path Traversal in browserless-chrome

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.68153%
Published
5/10/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
browserless-chromenpm< 1.43.01.43.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in route handlers processing '/workspace' endpoints. Both locations shown in the diff (lines 157 and 185 in routes.ts) construct filePath using path.join(workspaceDir, file) without verifying the resulting path remains within workspaceDir. Attackers could supply 'file' parameters with directory traversal sequences (../../) to access arbitrary files. The patch added critical containment checks using filePath.includes(workspaceDir), confirming these were the vulnerable points. The functions handle user-supplied filenames directly and return file contents, making them the clear injection points for path traversal.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* *rows*rl*ss-**rom* ***or* *.**.*. Us*r input *lowin* *rom t** worksp*** *n*point **ts us** to *r**t* * *il* p*t* *il*P*t* *n* t*is is **t**** *n* t**n s*nt ***k to * us*r. T*is **n ** *s**p** to **t** *r*itr*ry *il*s *rom

Reasoning

T** vuln*r**ility *xists in rout* **n*l*rs pro**ssin* '/worksp***' *n*points. *ot* lo**tions s*own in t** *i** (lin*s *** *n* *** in `rout*s.ts`) *onstru*t `*il*P*t*` usin* `p*t*.join(worksp****ir, *il*)` wit*out v*ri*yin* t** r*sultin* p*t* r*m*ins