-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @fastify/reply-from | npm | <= 12.4.0 | 12.5.0 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the fastify-reply-from package, where a path traversal flaw allows an attacker to bypass route restrictions. The analysis of the patch commit 4d9795cd5b57a36756d37b7f036eae369f69fa66 reveals two key functions involved in the vulnerability.
buildURL in lib/utils.js: This is the core vulnerable function. It was responsible for constructing the final URL for the upstream service but failed to sanitize the input source URL. This allowed an attacker to use .. (%2e%2e) to navigate outside the intended directory structure and access restricted routes. The patch introduces a check to decode the URL component and explicitly look for .., throwing an error if it's found.
from (as reply.from) in index.js: This function serves as the entry point for the vulnerability. When reply.from() is called, it takes the request URL (req.url) and passes it to the buildURL function. The original implementation used the full req.url, including any query parameters. The patch modifies this to strip the query string from the URL before passing it to buildURL. This change prevents attackers from using the query string to hide or obfuscate path traversal attempts.
During an exploit, a profiler would likely show a call stack including the from function (as reply.from) which in turn calls the buildURL function. Both functions are critical to understanding and identifying the exploitation of this vulnerability.
buildURLlib/utils.js
fromindex.js
JavaScriptJavaScriptOngoing coverage of React2Shell