Miggo Logo
Miggo Vulnerability Database
CVE-2024-22207

CVE-2024-22207: Default swagger-ui configuration exposes all files in the module

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-22207
GHSA ID
GHSA-62jr-84gf-wmg4
EPSS Score
0.93675%
CWE
CWE-1188
Published
1/16/2024
Updated
2/16/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@fastify/swagger-uinpm>= 2.0.0, < 2.1.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the unconditional registration of fastify-static and the wildcard route handler in lib/routes.js. The original code: 1) Registered fastify-static with root=opts.baseDir || __dirname/.. (module directory) 2) Created a /* route that served any file via sendFile(). When baseDir wasn't set, this combination allowed access to all files in the module directory. The patch moved both the static registration and route creation inside an if (opts.baseDir) block, making them conditional. The handler function in the wildcard route is specifically vulnerable as it directly serves files from the uncontrolled root directory when baseDir is missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** ****ult *on*i*ur*tion o* `@**sti*y/sw****r-ui` wit*out `**s**ir` s*t will l*** to *ll *il*s in t** mo*ul*'s *ir**tory **in* *xpos** vi* *ttp rout*s s*rv** *y t** mo*ul*. ### P*t***s Up**t* to v*.*.* ### Work*roun*s Us* t** `**s**

Reasoning

T** vuln*r**ility st*ms *rom t** un*on*ition*l r**istr*tion o* `**sti*y-st*ti*` *n* t** wil***r* rout* **n*l*r in `li*/rout*s.js`. T** ori*in*l *o**: *) R**ist*r** `**sti*y-st*ti*` wit* root=`opts.**s**ir` || `__*irn*m*/..` (mo*ul* *ir**tory) *) *r**