CVE-2024-39918

Description

### Summary When trying to add a `BLOCK_LIST` feature when the maintainer noticed they didn't sanitize the `ImageId` in the code, which leads to path traversal vulnerability. Now, this is different from a traditional path traversal issue, because as of NOW you can store the image in any place arbitrarily, and given enough time they might be able to come up with a working exploit BUT for the time being they am reporting this. ### Details @jmondi/url-to-png does not sanitizing the `ImageID` as in not removing special chars from the params [(extract_query_params.ts#l75)](https://github.com/jasonraimondi/url-to-png/blob/e43098e0af3a380ebc044e7f303a83933b94b434/src/middlewares/extract_query_params.ts#L75) ```js const imageId = dateString + "." + slugify(validData.url) +configToString(params); ``` This when fed to other parts of the code such as ([filesystem.ts#L34](https://github.com/jasonraimondi/url-to-png/blob/8afc00247c1d7e6c7b37356a5f6282b486e596fa/src/lib/storage/filesystem.ts#L34)) ```js return path.join(this.storagePath, imageId) + ".png"; ``` Would result in path traversal issue. ### PoC ``` # Configuration for filesystem storage provider (optional) STORAGE_PROVIDER=filesystem IMAGE_STORAGE_PATH=poc ``` Set this in your `.env` file and use this as your payload. ``` http://localhost:3089/?url=http://example.com&width=400&isDarkMode=../../../../../../../../../../../../tmp/hack ``` This will create a `.png` file in the `/tmp` section of the system. Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6 This is valid for pretty much all the arguments (except for numeric values) A simple fix would be to use the `slugify` for the params as well like so ([#L75](https://github.com/jasonraimondi/url-to-png/blob/e43098e0af3a380ebc044e7f303a83933b94b434/src/middlewares/extract_query_params.ts#L75)) ```diff - const imageId = dateString + "." + slugify(validData.url) + configToString(params); + const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params)); ``` ### Impact This would be path traversal vulnerability which allows arbitrary write as of now.

How to fix CVE-2024-39918

To remediate CVE-2024-39918, upgrade the affected package to a fixed version below.

—upgrade to 2.1.2 or later

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

How to fix CVE-2024-39918

Is CVE-2024-39918 being exploited?

Affected packages (1)

CVSS scores

References (6)