CVE-2024-48914
📋 TL;DR
This vulnerability in Vendure's asset server plugin allows attackers to perform directory traversal attacks, enabling them to read arbitrary files on the server filesystem. This can expose sensitive configuration files, environment variables, and other critical data. All Vendure deployments using the vulnerable asset server plugin are affected.
💻 Affected Systems
- Vendure
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through exposure of secrets, credentials, and configuration files, potentially leading to data breaches, privilege escalation, and denial of service via server crashes.
Likely Case
Exfiltration of sensitive configuration data, environment variables, and potentially customer data stored in accessible files, leading to data exposure and potential credential theft.
If Mitigated
Limited impact with proper network segmentation, file system permissions, and monitoring in place, though the vulnerability still exists.
🎯 Exploit Status
The vulnerability is straightforward to exploit via crafted HTTP requests with directory traversal sequences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.5 or 2.3.3
Vendor Advisory: https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-r9mq-3c9r-fmjq
Restart Required: Yes
Instructions:
1. Update Vendure to version 3.0.5 (for v3.x) or 2.3.3 (for v2.x). 2. Restart the Vendure server. 3. Verify the update was successful.
🔧 Temporary Workarounds
Use Object Storage
allConfigure Vendure to use external object storage (e.g., S3, MinIO) instead of local file system for assets.
Middleware Block Directory Traversal
allImplement middleware to detect and block requests containing directory traversal sequences like '/../'.
🧯 If You Can't Patch
- Implement network-level controls to restrict access to the asset server endpoint.
- Apply strict file system permissions to limit what files the Vendure process can read.
🔍 How to Verify
Check if Vulnerable:
Check if Vendure version is below 3.0.5 (for v3.x) or 2.3.3 (for v2.x) and if using the local asset server plugin.Check Version:
Check package.json or run 'npm list @vendure/core' in the Vendure project directory.Verify Fix Applied:
Confirm Vendure version is 3.0.5 or higher (v3.x) or 2.3.3 or higher (v2.x) and test that directory traversal requests are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '/../' patterns to asset endpoints
- Unusual file access patterns from the Vendure process
Network Indicators:
- HTTP requests with directory traversal sequences to asset server paths
SIEM Query:
http.url:*\/..\/* AND http.user_agent:*vendure*🔗 References
- https://github.com/vendure-ecommerce/vendure/blob/801980e8f599c28c5059657a9d85dd03e3827992/packages/asset-server-plugin/src/plugin.ts#L352-L358
- https://github.com/vendure-ecommerce/vendure/commit/e2ee0c43159b3d13b51b78654481094fdd4850c5
- https://github.com/vendure-ecommerce/vendure/commit/e4b58af6822d38a9c92a1d8573e19288b8edaa1c
- https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-r9mq-3c9r-fmjq
