Miggo Logo
Miggo Vulnerability Database
GHSA-7p7c-pvvx-2vx3

GHSA-7p7c-pvvx-2vx3: hyper-staticfile's improper validation of Windows paths could lead to directory traversal attack

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-7p7c-pvvx-2vx3
EPSS Score
-
CWE
CWE-22
Published
12/5/2022
Updated
3/30/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
hyper-staticfilerust< 0.9.20.9.2
hyper-staticfilerust= 0.10.0-alpha.10.10.0-alpha.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how normalize_path handled path components. The original implementation (pre-patch) directly pushed 'Component::Normal' segments without validating if they contained Windows drive letter prefixes. The patch adds a secondary check that re-parses each component to ensure it doesn't contain drive letters or other special components. This matches the vulnerability description where paths like '/foo/bar/c:/windows/...' would resolve to absolute Windows paths. The added Windows-specific test in static.rs confirms this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*t* r*solution in `*yp*r-st*ti**il*` *i*n't *orr**tly v*li**t* Win*ows p*t*s, m**nin* p*t*s lik* `/*oo/**r/*:/win*ows/w**/s*r**n/im****.pn*` woul* ** *llow** *n* r*spon* wit* t** *ont*nts o* `*:/win*ows/w**/s*r**n/im****.pn*`. T*us us*rs *oul* pot*n

Reasoning

T** vuln*r**ility st*ms *rom *ow `norm*liz*_p*t*` **n*l** p*t* *ompon*nts. T** ori*in*l impl*m*nt*tion (pr*-p*t**) *ir**tly pus*** '*ompon*nt::Norm*l' s**m*nts wit*out v*li**tin* i* t**y *ont*in** Win*ows *riv* l*tt*r pr**ix*s. T** p*t** ***s * s**on