Node.js third-party modules: [buttle] Path traversal in mid-buttle module allows to read any file in the server.

ID H1:358112
Type hackerone
Reporter n0n4me
Modified 2018-06-27T05:21:29


Hello Node.js third-party modules

I would like to report path traversal in buttle module It allows me to read any file in the server if i know the path.


module name: buttle version: 0.2.0 npm page:

Module Description

Simple static file (+ markdown) server.

Module Stats

[21] downloads in the last week


Vulnerability Description

module mid-buttle.js uses regex to check the url containing the string ".markdown". I think, the right check of the author wants, is string ".markdown" located the end of the url. But he forgot the $ in the regex. That is the first vulnerability. The second is he does not check for path traversal (../).

var url = req.url; if(/\.md$/i.test(url) || /\.markdown/i.test(url)) { fs.exists(j(dir, url), function(exists) { if(exists) { fs.readFile(j(dir, url), {encoding: 'utf8'}, function(err, data) { if(err) { return res.end(err.message); } res.end(wrapInHtml(md(data))); }); } else { next(); } }); } else { next(); } Link in github:

Steps To Reproduce:

install buttle $ npm install -g buttle start buttle $ buttle ./ start the burpsuite. Enter the url contain string ".markdown" and ../ to traverse to the file you want. {F302395}


I recommend that: 1. Should filter ".." in url before using that for reading file. (check path traversal) 2. correct the specific string in the url for your check. (check logic bug)

Supporting Material/References:

  • Kali linux 4.15.0
  • v8.11.2
  • 6.1.0
  • Burpsuite community

Wrap up

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N


The malicious user can use this vulnerability to read some file containing credential, ssh key files, source code ...