CVE-2023-26126
📋 TL;DR
CVE-2023-26126 is a directory traversal vulnerability in the m.static npm package that allows attackers to read arbitrary files on the server by manipulating file path requests. This affects all applications using m.static for static file serving without proper input validation. The vulnerability enables unauthorized access to sensitive server files.
💻 Affected Systems
- m.static npm package
📦 What is this software?
M.static by M.static Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files, credentials, or source code, potentially leading to further attacks like privilege escalation or data exfiltration.
Likely Case
Unauthorized access to sensitive files such as configuration files, environment variables, or application source code, potentially exposing credentials or business logic.
If Mitigated
Limited impact with proper file system permissions, web application firewalls, and input validation preventing path traversal attempts.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with directory traversal sequences (e.g., '../') to the static file endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://security.snyk.io/vuln/SNYK-JS-MSTATIC-3244915
Restart Required: Yes
Instructions:
1. Remove m.static from your project dependencies. 2. Replace with a maintained alternative like express.static or serve-static. 3. Update package.json and run npm install. 4. Restart your application.
🔧 Temporary Workarounds
Input Validation Middleware
allAdd middleware to validate and sanitize file paths before m.static processes them.
// Example Express middleware:
app.use('/static', (req, res, next) => {
const path = req.path;
if (path.includes('..') || path.includes('~')) {
return res.status(400).send('Invalid path');
}
next();
});
🧯 If You Can't Patch
- Implement strict file system permissions to limit m.static's access to only necessary directories.
- Deploy a web application firewall (WAF) with directory traversal protection rules.
🔍 How to Verify
Check if Vulnerable:
Check if your application uses m.static by examining package.json or running 'npm list m.static' in your project directory.Check Version:
npm list m.staticVerify Fix Applied:
After removing m.static, verify it's no longer in dependencies with 'npm list m.static' and test that static file serving still works with your replacement.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../', '..\', or similar path traversal patterns to static file endpoints
- Unusual file access patterns or 400/403 errors from path validation
Network Indicators:
- HTTP requests with encoded traversal sequences (%2e%2e%2f)
- Multiple failed attempts to access files outside expected directories
SIEM Query:
source="web_logs" AND (uri="*..%2f*" OR uri="*../*" OR uri="*..\\*") AND status=200