GHSA-F6GV-HH8J-Q8VQ

Vulnerability from github – Published: 2023-12-15 02:45 – Updated: 2023-12-15 02:45
VLAI?
Summary
Named path parameters can be overridden in TrieRouter
Details

Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'

const wait = async (ms: number) => {
  return new Promise((resolve) => {
    setTimeout(resolve, ms)
  })
}

const app = new Hono({ router: new TrieRouter() })

app.use('*', async (c, next) => {
  await wait(Math.random() * 200)
  return next()
})

app.get('/modules/:id/versions/:version', async (c) => {
  const id = c.req.param('id')
  const version = c.req.param('version')

  console.log('path', c.req.path)
  console.log('version', version)

  return c.json({
    id,
    version,
  })
})

export default app

The client code which makes requests to the server application:

const examples = [
  'http://localhost:8787/modules/first/versions/first',
  'http://localhost:8787/modules/second/versions/second',
  'http://localhost:8787/modules/third/versions/third',
]

const test = () => {
  for (const example of examples) {
    fetch(example)
      .then((response) => response.json())
      .then((data) => {
        const splitted = example.split('/')
        const expected = splitted[splitted.length - 1]

        if (expected !== data.version) {
          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
        }
      })
  }
}

test()

The results:

Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

Patches

"v3.11.7" includes the change to fix this issue.

Workarounds

Don't use TrieRouter directly.

// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })

References

Router options on the Hono website: https://hono.dev/api/hono#router-option

Severity ?
4.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hono"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-15T02:45:54Z",
    "nvd_published_at": "2023-12-14T18:15:45Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.\n\nTrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.\n\nThe code to reproduce it. The server side application:\n\n```ts\nimport { Hono } from \u0027hono\u0027\nimport { TrieRouter } from \u0027hono/router/trie-router\u0027\n\nconst wait = async (ms: number) =\u003e {\n  return new Promise((resolve) =\u003e {\n    setTimeout(resolve, ms)\n  })\n}\n\nconst app = new Hono({ router: new TrieRouter() })\n\napp.use(\u0027*\u0027, async (c, next) =\u003e {\n  await wait(Math.random() * 200)\n  return next()\n})\n\napp.get(\u0027/modules/:id/versions/:version\u0027, async (c) =\u003e {\n  const id = c.req.param(\u0027id\u0027)\n  const version = c.req.param(\u0027version\u0027)\n\n  console.log(\u0027path\u0027, c.req.path)\n  console.log(\u0027version\u0027, version)\n\n  return c.json({\n    id,\n    version,\n  })\n})\n\nexport default app\n```\n\nThe client code which makes requests to the server application:\n\n```ts\nconst examples = [\n  \u0027http://localhost:8787/modules/first/versions/first\u0027,\n  \u0027http://localhost:8787/modules/second/versions/second\u0027,\n  \u0027http://localhost:8787/modules/third/versions/third\u0027,\n]\n\nconst test = () =\u003e {\n  for (const example of examples) {\n    fetch(example)\n      .then((response) =\u003e response.json())\n      .then((data) =\u003e {\n        const splitted = example.split(\u0027/\u0027)\n        const expected = splitted[splitted.length - 1]\n\n        if (expected !== data.version) {\n          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)\n        }\n      })\n  }\n}\n\ntest()\n```\n\nThe results:\n\n```txt\nError: exprected second but got third - url was http://localhost:8787/modules/second/versions/second\nError: exprected first but got third - url was http://localhost:8787/modules/first/versions/first\n```\n\n### Patches\n\n\"v3.11.7\" includes the change to fix this issue.\n\n### Workarounds\n\nDon\u0027t use TrieRouter directly.\n\n```ts\n// DON\u0027T USE TrieRouter\nimport { TrieRouter } from \u0027hono/router/trie-router\u0027\nconst app = new Hono({ router: new TrieRouter() })\n```\n\n### References\n\nRouter options on the Hono website: https://hono.dev/api/hono#router-option",
  "id": "GHSA-f6gv-hh8j-q8vq",
  "modified": "2023-12-15T02:45:54Z",
  "published": "2023-12-15T02:45:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50710"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/honojs/hono"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/releases/tag/v3.11.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Named path parameters can be overridden in TrieRouter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.