CVE-2024-45401 – A path traversal vulnerability in stripe-cli al... (How to Fix)

Q: What is the severity of CVE-2024-45401?

CVE-2024-45401 has a CVSS score of 7.5 (HIGH). A path traversal vulnerability in stripe-cli allows attackers to overwrite arbitrary files on the system when installing plugins with malformed shortnames via --archive-url or --archive-path flags. This affects users of stripe-cli versions 1.11.1 through 1.21.2 who install plugins from archives. The vulnerability could lead to file corruption, privilege escalation, or remote code execution.

📋 TL;DR

A path traversal vulnerability in stripe-cli allows attackers to overwrite arbitrary files on the system when installing plugins with malformed shortnames via --archive-url or --archive-path flags. This affects users of stripe-cli versions 1.11.1 through 1.21.2 who install plugins from archives. The vulnerability could lead to file corruption, privilege escalation, or remote code execution.

💻 Affected Systems

Products:

stripe-cli

Versions: 1.11.1 through 1.21.2

Operating Systems: Linux, macOS, Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when installing plugins using --archive-url or --archive-path flags with malicious manifests.

📦 What is this software?

Stripe Cli by Stripe

View all CVEs affecting Stripe Cli →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file overwrite leading to privilege escalation, remote code execution, or destruction of critical system files.

🟠

Likely Case

Local file corruption or unauthorized modification of configuration files, potentially disrupting payment processing workflows.

🟢

If Mitigated

No impact if plugin installation from archives is disabled or if vulnerable versions are not used.

🌐 Internet-Facing: LOW - Requires local access or tricking user into running malicious command with specific flags.

🏢 Internal Only: MEDIUM - Internal users with stripe-cli access could exploit this for privilege escalation or data manipulation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to install a malicious plugin archive. No evidence of exploitation in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.21.3

Vendor Advisory: https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr

Restart Required: No

Instructions:

1. Update stripe-cli to version 1.21.3 or later using your package manager. 2. For npm: 'npm update -g stripe-cli'. 3. For direct install: Download latest from GitHub releases. 4. Verify version with 'stripe version'.

🔧 Temporary Workarounds

Disable plugin installation from archives

all

Avoid using --archive-url or --archive-path flags when installing plugins

# Only install plugins from trusted sources without archive flags
# stripe plugins install <plugin-name>

Remove vulnerable versions

all

Uninstall vulnerable stripe-cli versions

# npm: npm uninstall -g stripe-cli
# macOS brew: brew uninstall stripe-cli
# Linux: sudo apt remove stripe-cli or equivalent

🧯 If You Can't Patch

Restrict stripe-cli usage to trusted users only
Implement strict change control for plugin installation processes

🔍 How to Verify

Check if Vulnerable:

Run 'stripe version' and check if version is between 1.11.1 and 1.21.2 inclusive.

Check Version:

stripe version

Verify Fix Applied:

Run 'stripe version' and confirm version is 1.21.3 or higher.

📡 Detection & Monitoring

Log Indicators:

Plugin installation logs with --archive-url or --archive-path flags
Unexpected file modification events in system directories

Network Indicators:

Downloads from unusual URLs during plugin installation

SIEM Query:

process.name:"stripe" AND cmd_line:"*--archive-url*" OR cmd_line:"*--archive-path*"

📊 Metadata

CVE ID: CVE-2024-45401

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-22

Published: September 5, 2024

Last Updated: January 2, 2025

🔗 References

https://github.com/stripe/stripe-cli/security/advisories/GHSA-fv4g-gwpj-74gr Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45401, you might also want to check these: