ghsa-f6gv-hh8j-q8vq
Vulnerability from github
Published
2023-12-15 02:45
Modified
2023-12-15 02:45
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Summary
Named path parameters can be overridden in TrieRouter
Details

Impact

The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.

TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.

The code to reproduce it. The server side application:

```ts import { Hono } from 'hono' import { TrieRouter } from 'hono/router/trie-router'

const wait = async (ms: number) => { return new Promise((resolve) => { setTimeout(resolve, ms) }) }

const app = new Hono({ router: new TrieRouter() })

app.use('*', async (c, next) => { await wait(Math.random() * 200) return next() })

app.get('/modules/:id/versions/:version', async (c) => { const id = c.req.param('id') const version = c.req.param('version')

console.log('path', c.req.path) console.log('version', version)

return c.json({ id, version, }) })

export default app ```

The client code which makes requests to the server application:

```ts const examples = [ 'http://localhost:8787/modules/first/versions/first', 'http://localhost:8787/modules/second/versions/second', 'http://localhost:8787/modules/third/versions/third', ]

const test = () => { for (const example of examples) { fetch(example) .then((response) => response.json()) .then((data) => { const splitted = example.split('/') const expected = splitted[splitted.length - 1]

    if (expected !== data.version) {
      console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)
    }
  })

} }

test() ```

The results:

txt Error: exprected second but got third - url was http://localhost:8787/modules/second/versions/second Error: exprected first but got third - url was http://localhost:8787/modules/first/versions/first

Patches

"v3.11.7" includes the change to fix this issue.

Workarounds

Don't use TrieRouter directly.

ts // DON'T USE TrieRouter import { TrieRouter } from 'hono/router/trie-router' const app = new Hono({ router: new TrieRouter() })

References

Router options on the Hono website: https://hono.dev/api/hono#router-option

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hono"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-15T02:45:54Z",
    "nvd_published_at": "2023-12-14T18:15:45Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources.\n\nTrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter.\n\nThe code to reproduce it. The server side application:\n\n```ts\nimport { Hono } from \u0027hono\u0027\nimport { TrieRouter } from \u0027hono/router/trie-router\u0027\n\nconst wait = async (ms: number) =\u003e {\n  return new Promise((resolve) =\u003e {\n    setTimeout(resolve, ms)\n  })\n}\n\nconst app = new Hono({ router: new TrieRouter() })\n\napp.use(\u0027*\u0027, async (c, next) =\u003e {\n  await wait(Math.random() * 200)\n  return next()\n})\n\napp.get(\u0027/modules/:id/versions/:version\u0027, async (c) =\u003e {\n  const id = c.req.param(\u0027id\u0027)\n  const version = c.req.param(\u0027version\u0027)\n\n  console.log(\u0027path\u0027, c.req.path)\n  console.log(\u0027version\u0027, version)\n\n  return c.json({\n    id,\n    version,\n  })\n})\n\nexport default app\n```\n\nThe client code which makes requests to the server application:\n\n```ts\nconst examples = [\n  \u0027http://localhost:8787/modules/first/versions/first\u0027,\n  \u0027http://localhost:8787/modules/second/versions/second\u0027,\n  \u0027http://localhost:8787/modules/third/versions/third\u0027,\n]\n\nconst test = () =\u003e {\n  for (const example of examples) {\n    fetch(example)\n      .then((response) =\u003e response.json())\n      .then((data) =\u003e {\n        const splitted = example.split(\u0027/\u0027)\n        const expected = splitted[splitted.length - 1]\n\n        if (expected !== data.version) {\n          console.error(`Error: exprected ${expected} but got ${data.version} - url was ${example}`)\n        }\n      })\n  }\n}\n\ntest()\n```\n\nThe results:\n\n```txt\nError: exprected second but got third - url was http://localhost:8787/modules/second/versions/second\nError: exprected first but got third - url was http://localhost:8787/modules/first/versions/first\n```\n\n### Patches\n\n\"v3.11.7\" includes the change to fix this issue.\n\n### Workarounds\n\nDon\u0027t use TrieRouter directly.\n\n```ts\n// DON\u0027T USE TrieRouter\nimport { TrieRouter } from \u0027hono/router/trie-router\u0027\nconst app = new Hono({ router: new TrieRouter() })\n```\n\n### References\n\nRouter options on the Hono website: https://hono.dev/api/hono#router-option",
  "id": "GHSA-f6gv-hh8j-q8vq",
  "modified": "2023-12-15T02:45:54Z",
  "published": "2023-12-15T02:45:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-f6gv-hh8j-q8vq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50710"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/commit/8e2b6b08518998783f66d31db4f21b1b1eecc4c8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/honojs/hono"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/releases/tag/v3.11.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Named path parameters can be overridden in TrieRouter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.