CVE-2024-1163 – CVE-2024-1163 is a path traversal vulnerability... (How to Fix)

Q: What is the severity of CVE-2024-1163?

CVE-2024-1163 has a CVSS score of 7.1 (HIGH). CVE-2024-1163 is a path traversal vulnerability in mapshaper that allows attackers to access files outside the intended directory, potentially exposing sensitive information. This affects users running vulnerable versions of mapshaper, particularly those processing untrusted input. The vulnerability stems from improper validation of file paths.

📋 TL;DR

CVE-2024-1163 is a path traversal vulnerability in mapshaper that allows attackers to access files outside the intended directory, potentially exposing sensitive information. This affects users running vulnerable versions of mapshaper, particularly those processing untrusted input. The vulnerability stems from improper validation of file paths.

💻 Affected Systems

Products:

mapshaper

Versions: Versions before commit 7437d903c0a87802c3751fc529d2de7098094c72

Operating Systems: All platforms running mapshaper

Default Config Vulnerable: ⚠️ Yes

Notes: Affects mapshaper when processing user-controlled file paths. The vulnerability is in the core path handling logic.

📦 What is this software?

Mapshaper by Mapshaper

View all CVEs affecting Mapshaper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system file disclosure including configuration files, credentials, and sensitive data, potentially leading to further compromise.

🟠

Likely Case

Disclosure of application files, configuration data, or other accessible files within the server context.

🟢

If Mitigated

Limited to non-sensitive file access if proper file permissions and input validation are in place.

🌐 Internet-Facing: HIGH - Web applications using mapshaper to process user-supplied files are directly exposed.

🏢 Internal Only: MEDIUM - Internal systems could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the ability to control file path inputs to mapshaper. The fix commit demonstrates the vulnerable pattern.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 7437d903c0a87802c3751fc529d2de7098094c72 and later

Vendor Advisory: https://github.com/mbloch/mapshaper/commit/7437d903c0a87802c3751fc529d2de7098094c72

Restart Required: No

Instructions:

1. Update mapshaper to the latest version. 2. If using source, apply commit 7437d903c0a87802c3751fc529d2de7098094c72. 3. Rebuild/redeploy the application.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement strict input validation for all file paths before passing to mapshaper

# Example: Validate path doesn't contain ../ or absolute paths
# before calling mapshaper functions

Chroot/jail environment

linux

Run mapshaper in a restricted filesystem environment

# Use chroot, containers, or sandboxing to limit filesystem access

🧯 If You Can't Patch

Implement strict input validation to reject paths containing ../, absolute paths, or other traversal sequences
Run mapshaper with minimal filesystem permissions and in a restricted environment

🔍 How to Verify

Check if Vulnerable:

Check if mapshaper version is before commit 7437d903c0a87802c3751fc529d2de7098094c72 by examining the source or version metadata

Check Version:

git log --oneline -1 # For source installations, or check package version

Verify Fix Applied:

Verify the commit hash includes 7437d903c0a87802c3751fc529d2de7098094c72 or test with controlled path traversal attempts

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns
Failed path normalization attempts
Access to files outside expected directories

Network Indicators:

HTTP requests with ../ sequences in file parameters
Unusual file read patterns from mapshaper processes

SIEM Query:

source="mapshaper.log" AND ("../" OR "..\\" OR "/etc/" OR "C:\\")

📊 Metadata

CVE ID: CVE-2024-1163

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-22

Published: February 13, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/mbloch/mapshaper/commit/7437d903c0a87802c3751fc529d2de7098094c72 Patch
https://huntr.com/bounties/c1cbc18b-e4ab-4332-ad13-0033f0f976f5 Exploit,Third Party Advisory
https://github.com/mbloch/mapshaper/commit/7437d903c0a87802c3751fc529d2de7098094c72 Patch
https://huntr.com/bounties/c1cbc18b-e4ab-4332-ad13-0033f0f976f5 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1163, you might also want to check these: