CVE-2024-48914 Overview
CVE-2024-48914 is a critical path traversal vulnerability in Vendure, an open-source headless commerce platform. The vulnerability exists in Vendure's asset server plugin and allows an attacker to craft a request capable of traversing the server file system and retrieving the contents of arbitrary files. This includes sensitive data such as configuration files, environment variables, and other critical data stored on the server. Additionally, the same code path contains a vector for crashing the server via a malformed URI, introducing both confidentiality and availability impacts.
Critical Impact
Attackers can read arbitrary files from the server including configuration files and environment variables, potentially exposing credentials, API keys, and other sensitive data. A secondary attack vector allows denial of service through server crashes.
Affected Products
- Vendure versions prior to 3.0.5
- Vendure versions prior to 2.3.3
- Vendure Asset Server Plugin (packages/asset-server-plugin)
Discovery Timeline
- 2024-10-15 - CVE-2024-48914 published to NVD
- 2024-10-16 - Last updated in NVD database
Technical Details for CVE-2024-48914
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in the asset server plugin's file handling logic. When processing asset requests, the plugin fails to properly sanitize the request path before using it to access files on the local file system. The vulnerable code directly uses decodeURIComponent(req.path) without validating that the decoded path stays within the intended asset directory boundaries.
An attacker can exploit this by sending requests containing path traversal sequences such as /../ to escape the asset directory and access files elsewhere on the server. The network-accessible nature of this vulnerability combined with no authentication requirements makes it particularly dangerous for internet-facing Vendure deployments.
Root Cause
The root cause lies in the asset server plugin's handling of file paths in the plugin.ts file. The original code directly decoded the URL path using decodeURIComponent(req.path) without validating or sanitizing the result to prevent directory traversal. This allowed encoded path traversal sequences (e.g., %2F..%2F) to bypass any URL-level filtering and escape the intended asset directory when decoded.
Attack Vector
The vulnerability is exploitable over the network without authentication. An attacker can craft HTTP requests to the asset server endpoint containing path traversal sequences. By using URL-encoded characters like %2F for forward slashes and %2E for periods, attackers can bypass basic path filtering and access files outside the designated asset directory.
The attack can target:
- Configuration files (e.g., .env, config.json)
- Application source code
- System files if permissions allow
- Database credentials and API keys stored in configuration
// Vulnerable code path from plugin.ts
return async (err: any, req: Request, res: Response, next: NextFunction) => {
if (err && (err.status === 404 || err.statusCode === 404)) {
if (req.query) {
const decodedReqPath = decodeURIComponent(req.path);
// Path traversal possible here - no sanitization
Logger.debug(`Pre-cached Asset not found: ${decodedReqPath}`, loggerCtx);
let file: Buffer;
try {
Source: GitHub Vendure Code Snippet
Detection Methods for CVE-2024-48914
Indicators of Compromise
- HTTP requests to asset endpoints containing encoded path traversal sequences (%2F..%2F, /../)
- Unusual file access patterns in server logs targeting system or configuration files
- Error logs showing file access attempts outside the asset directory
- Application crashes or restarts associated with malformed URI requests
Detection Strategies
- Monitor web server access logs for requests containing /../ or URL-encoded equivalents (%2F..%2F, %252F..%252F)
- Implement Web Application Firewall (WAF) rules to block path traversal patterns in asset server requests
- Review application error logs for file access exceptions indicating attempted directory escapes
- Deploy intrusion detection signatures that alert on path traversal attempts against Vendure instances
Monitoring Recommendations
- Enable verbose logging on Vendure asset server endpoints to capture all incoming requests
- Configure file integrity monitoring on sensitive configuration files to detect unauthorized access
- Set up alerts for unusual patterns of 404 errors followed by successful file retrievals
- Monitor for application crashes that may indicate exploitation of the malformed URI denial of service vector
How to Mitigate CVE-2024-48914
Immediate Actions Required
- Upgrade Vendure to version 3.0.5 or 2.3.3 immediately
- Review server logs for evidence of exploitation attempts
- Audit any sensitive files that may have been accessed through this vulnerability
- Rotate credentials and API keys stored in potentially exposed configuration files
- Consider temporarily disabling the asset server plugin if immediate patching is not possible
Patch Information
Security patches are available in Vendure versions 3.0.5 and 2.3.3. The fix replaces the direct use of decodeURIComponent(req.path) with a new sanitizeFilePath() method that properly validates and sanitizes the file path to prevent directory traversal attacks.
// Patched code - uses sanitizeFilePath() instead of decodeURIComponent()
return async (err: any, req: Request, res: Response, next: NextFunction) => {
if (err && (err.status === 404 || err.statusCode === 404)) {
if (req.query) {
const decodedReqPath = this.sanitizeFilePath(req.path);
Logger.debug(`Pre-cached Asset not found: ${decodedReqPath}`, loggerCtx);
let file: Buffer;
try {
Source: GitHub Vendure Commit Update
For more details, see the GitHub Security Advisory GHSA-r9mq-3c9r-fmjq.
Workarounds
- Use object storage instead of the local file system (e.g., MinIO or S3) for asset storage
- Define middleware that detects and blocks requests with URLs containing /../
- Implement a reverse proxy or WAF rule to filter path traversal patterns before requests reach Vendure
- Restrict network access to the asset server endpoint using firewall rules
# Example nginx configuration to block path traversal attempts
location /assets/ {
# Block requests containing path traversal sequences
if ($request_uri ~* "\.\.") {
return 403;
}
# Proxy to Vendure asset server
proxy_pass http://localhost:3000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
