CVE-2024-49770 Information

Nov 02, 2024 cve

Description

oak is a middleware framework for Deno’s native HTTP server Deno Deploy Node.js 16.5 and later Cloudflare Workers and Bun. By default oak does not allow transferring of hidden files with Context.send API. However prior to version 17.1.3 this can be bypassed by encoding / as its URL encoded form %2F. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.

Reference

https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209 https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125 https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25

Share on: