CVE-2024-56198 Overview
CVE-2024-56198 is a critical Path Traversal vulnerability in the path-sanitizer npm package, a lightweight utility designed to sanitize file paths and prevent directory traversal attacks. Prior to version 3.1.0, the package's filtering mechanisms can be bypassed using encoded sequences such as .=%5c, allowing attackers to traverse outside intended directories and potentially access sensitive files on the system.
Critical Impact
Attackers can bypass path sanitization filters to achieve arbitrary file access, potentially leading to unauthorized data disclosure, configuration exposure, or further system compromise through file manipulation.
Affected Products
- path-sanitizer npm package versions prior to 3.1.0
Discovery Timeline
- 2024-12-31 - CVE-2024-56198 published to NVD
- 2024-12-31 - Last updated in NVD database
Technical Details for CVE-2024-56198
Vulnerability Analysis
This vulnerability stems from incomplete input validation in the path sanitization logic. The path-sanitizer package is specifically designed to prevent Path Traversal attacks by filtering malicious path sequences like ../ and ..\. However, the filtering implementation failed to account for URL-encoded variations of these sequences.
The bypass technique uses .=%5c (where %5c is the URL-encoded backslash character) to circumvent the sanitization filters. When processed, this encoded sequence can resolve to a valid directory traversal pattern that the original filters did not catch, allowing attackers to escape the intended directory sandbox.
Applications relying on path-sanitizer to protect file operations—such as user-uploaded file access, template rendering, or configuration file retrieval—are at risk of exposing sensitive files or enabling unauthorized file system access.
Root Cause
The root cause is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The sanitization logic did not comprehensively handle all encoding variations and edge cases for parent directory traversal sequences. The original implementation lacked recursive or comprehensive pattern matching to catch encoded or alternative representations of directory traversal characters.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by submitting a crafted path containing .=%5c or similar encoded sequences to any application endpoint that processes file paths through the vulnerable path-sanitizer package. This could occur through:
- File upload/download endpoints
- API parameters accepting file paths
- Query strings containing path information
- Form inputs processed for file operations
The following security patch was applied in version 3.1.0 to address the vulnerability:
// Replace double (back)slashes with a single slash
sanitizedPath = sanitizedPath.replace(/[\/\\]+/g, '/')
+ // Replace /../ with /
+ sanitizedPath = sanitizedPath.replace(options.parentDirectoryRegEx, '/')
+
+ // Remove ./ or / at start
+ while (sanitizedPath.startsWith('/') || sanitizedPath.startsWith('./') || sanitizedPath.endsWith('/..') || sanitizedPath.endsWith('/../') || sanitizedPath.startsWith('../') || sanitizedPath.startsWith('/../')) {
+ sanitizedPath = sanitizedPath.replace(/^\.\//g, '') // ^./
+ sanitizedPath = sanitizedPath.replace(/^\//g, '') // ^/
+ // Remove ../ | /../ at pos 0 and /.. | /../ at end
+ sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.[\/\\]/g, '/')
+ sanitizedPath = sanitizedPath.replace(/^\.\.[\/\\]/g, '/')
+ sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.$/g, '/')
+ sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.\/$/g, '/')
+ }
+
// Make sure out is not "."
sanitizedPath = sanitizedPath.trim() === '.' ? '' : sanitizedPath
Source: GitHub Commit Update
The patch introduces multiple improvements including a configurable parentDirectoryRegEx option and an iterative loop that continuously strips dangerous path patterns from both the beginning and end of the sanitized path until all traversal sequences are removed.
Detection Methods for CVE-2024-56198
Indicators of Compromise
- HTTP requests containing encoded path traversal sequences like %5c, %2e%2e, or .=%5c in file path parameters
- Unexpected file access patterns in application logs showing paths outside designated directories
- Server errors or unusual responses when accessing file endpoints with encoded characters
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block URL-encoded path traversal attempts including %5c, %2f, and %2e%2e patterns
- Review application logs for requests containing anomalous encoded sequences in path-related parameters
- Use SentinelOne's Singularity platform to monitor for suspicious file access patterns that indicate directory traversal exploitation
Monitoring Recommendations
- Enable detailed logging for all file system operations in applications using path-sanitizer
- Monitor for access attempts to sensitive files such as /etc/passwd, configuration files, or application source code
- Set up alerts for requests containing multiple encoding layers or unusual character combinations in path parameters
How to Mitigate CVE-2024-56198
Immediate Actions Required
- Upgrade path-sanitizer to version 3.1.0 or later immediately
- Audit all applications using path-sanitizer to identify exposed endpoints
- Implement additional server-side path validation as defense-in-depth while upgrading
Patch Information
The vulnerability is fixed in path-sanitizer version 3.1.0. Organizations should update their package.json dependencies and run npm update path-sanitizer or npm install path-sanitizer@^3.1.0 to apply the security fix. For additional technical details, see the GitHub Security Advisory GHSA-94p5 and the security patch commit.
Workarounds
- Implement additional path validation using Node.js path.resolve() and verify the resolved path starts with the intended base directory
- Decode URL-encoded inputs before passing them to path sanitization functions to catch encoded bypass attempts
- Use allowlist-based validation for file paths where possible, only permitting access to explicitly defined files or directories
# Update path-sanitizer to patched version
npm update path-sanitizer
# Or install specific patched version
npm install path-sanitizer@^3.1.0
# Verify installed version
npm list path-sanitizer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
