Miggo Logo
Miggo Vulnerability Database
CVE-2022-25848

CVE-2022-25848: static-dev-server vulnerable to path traversal

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25848
GHSA ID
GHSA-7fxm-c848-89q8
EPSS Score
0.29496%
CWE
CWE-22
Published
11/29/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
static-dev-servernpm= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: (1) The path.join() call naively combines user input (URI) with the root directory, enabling traversal attempts. (2) The validPath function's validation logic (using indexOf instead of strict path comparison) fails to properly restrict access to the root directory. The PoC demonstrates that paths like '../public-isprivate' bypass validation because 'public-isprivate' starts with the rootPath 'public', passing the indexOf check. This combination of improper path joining and weak validation enables directory traversal.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* p*t* tr*v*rs*l vuln*r**ility *****ts *ll v*rsions o* p**k*** st*ti*-**v-s*rv*r. T*is is ****us* w**n p*t*s *rom us*rs to t** root *ir**tory *r* join**, t** *ss*ts *or t** p*t* ****ss** *r* r*l*tiv* to t**t o* t** root *ir**tory. T**r* is *urr*ntly

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: (*) T** `p*t*.join()` **ll n*iv*ly *om*in*s us*r input (URI) wit* t** root *ir**tory, *n**lin* tr*v*rs*l *tt*mpts. (*) T** `v*li*P*t*` *un*tion's v*li**tion lo*i* (usin* `in**xO*` inst*** o* stri*t p*t* *o