github-actions[bot]
commented
3 weeks ago 
:point_left: Try it on ReadTheDocs
Open JafarAkhondali opened 3 weeks ago
github-actions[bot]
commented
3 weeks ago :point_left: Try it on ReadTheDocs
As discussed, the vulnerability is in dev server but would be better to be fixed The vulnerable code is at ./scripts/serve.js file, which you can access online via: https://raw.githubusercontent.com/jupyterlite/jupyterlite/HEAD/scripts/serve.js If the pathname of the URL is a relative path (e.g.: ../), the returned path can be outside the intended directory and this might lead to leakage of sensitive files.
Running the project: We used node command to run the file directly:
node ./scripts/serve.jsVerified proof-of-concept(poc) to read hostname file(Path traversal vulnerability):
Denial of service vulnerability: We also verified that this vulnerability can also lead to a Denial of Service attack, as it first loads the whole file content into memory, then tries to send the response. Loading a large file (for example reading /dev/urandom/) can use all the memory within a few seconds and crash the server.
By default, running the vulnerable file opens a port in the localhost only scope. Thus the Attack Vector (AV) of CVSS is: (A)djacent
Impact: We've calculated the base score of the vulnerability (as proposal) as 7.7, with a severity of "High" using following the following vector_string: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H You can view the CVSS score online via: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
This patch is generated with the help of LLMs, we verified it's working and doesn't break application functionality but still we HIGHLY recommend you verify that it correctly mitigates the bug and doesn't hurt the functionality of your software.