CVE-2024-49770: Path traversal in oak allows transfer of hidden files within the served root directory
By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by
encoding / as its URL encoded form %2F.
References
- github.com/advisories/GHSA-qm92-93fv-vh7m
- github.com/oakserver/oak
- github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts
- github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts
- github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209
- github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m
- nvd.nist.gov/vuln/detail/CVE-2024-49770
Detect and mitigate CVE-2024-49770 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →