CVE-2024-56198: path-sanitizer allows bypassing the existing filters to achieve path-traversal vulnerability
This is a POC for a path-sanitizer npm package. The filters can be bypassed and can result in path traversal.
Payload: ..=%5c can be used to bypass this on CLI (along with other candidates). Something similar would likely work on web apps as well.
References
- github.com/advisories/GHSA-94p5-r7cc-3rpr
- github.com/cabraviva/path-sanitizer
- github.com/cabraviva/path-sanitizer/commit/b6d2319eac910dffdfacc8460f5b5cc5a1518ead
- github.com/cabraviva/path-sanitizer/security/advisories/GHSA-94p5-r7cc-3rpr
- nvd.nist.gov/vuln/detail/CVE-2024-56198
- www.loom.com/share/b766ece5193842848ce7562fcd559256?sid=fd826eb6-0eee-4601-bf0e-9cfee5c56e9d
Detect and mitigate CVE-2024-56198 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →