Lucene search

GoogleOSV:GHSA-F6GV-HH8J-Q8VQ

HistoryDec 15, 2023 - 2:45 a.m.

Named path parameters can be overridden in TrieRouter

2023-12-1502:45:54

Google

osv.dev

trierouter

overriding

named parameters

rest api

security issue

hono

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

20.6%

JSON

Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

import { Hono } from 'hono'
import { TrieRouter } from 'hono/router/trie-router'

const wait = async (ms: number) =&gt; {
  return new Promise((resolve) =&gt; {
    setTimeout(resolve, ms)
  })
}

const app = new Hono({ router: new TrieRouter() })

app.use('*', async (c, next) =&gt; {
  await wait(Math.random() * 200)
  return next()
})

app.get('/modules/:id/versions/:version', async (c) =&gt; {
  const id = c.req.param('id')
  const version = c.req.param('version')

  console.log('path', c.req.path)
  console.log('version', version)

  return c.json({
    id,
    version,
  })
})

export default app

The client code which makes requests to the server application:

const examples = [
  'http://localhost:8787/modules/first/versions/first',
  'http://localhost:8787/modules/second/versions/second',
  'http://localhost:8787/modules/third/versions/third',
]

const test = () =&gt; {
  for (const example of examples) {
    fetch(example)
      .then((response) =&gt; response.json())
      .then((data) =&gt; {
        const splitted = example.split('/')
        const expected = splitted[splitted.length - 1]

        if (expected !== data.version) {
          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
        }
      })
  }
}

test()

The results:

Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second
Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

Patches

“v3.11.7” includes the change to fix this issue.

Workarounds

Don’t use TrieRouter directly.

// DON'T USE TrieRouter
import { TrieRouter } from 'hono/router/trie-router'
const app = new Hono({ router: new TrieRouter() })

References

Router options on the Hono website: https://hono.dev/api/hono#router-option

References

github.com/honojs/hono

github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8

github.com/honojs/hono/releases/tag/v3.11.7

github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq

nvd.nist.gov/vuln/detail/CVE-2023-50710

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

20.6%

JSON

Related for OSV:GHSA-F6GV-HH8J-Q8VQ