CVE-2024-57189
📋 TL;DR
This vulnerability allows authenticated attackers to write arbitrary files on the system via path traversal in Erxes's GraphQL API. It affects all Erxes installations before version 1.6.2 where users have authenticated access. Attackers can potentially overwrite critical system files or deploy malicious code.
💻 Affected Systems
- Erxes
📦 What is this software?
Erxes by Erxes
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file write leading to remote code execution, data destruction, or persistent backdoor installation.
Likely Case
Unauthorized file modification, configuration tampering, or privilege escalation by overwriting sensitive files.
If Mitigated
Limited impact if proper file permissions restrict write access to non-critical directories and strong authentication controls are in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Path traversal payloads are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.2
Vendor Advisory: https://github.com/erxes/erxes/commit/d626070a0fcd435ae29e689aca051ccfb440c2f3
Restart Required: Yes
Instructions:
1. Backup your Erxes installation and database. 2. Update to Erxes version 1.6.2 or later. 3. Restart all Erxes services. 4. Verify the fix by checking the version and testing the importHistoriesCreate endpoint.
🔧 Temporary Workarounds
Disable GraphQL import endpoint
allTemporarily disable the vulnerable GraphQL mutation handler
Modify GraphQL schema to remove or restrict importHistoriesCreate mutation
Implement input validation middleware
allAdd path traversal validation before file operations
Implement sanitization for file path parameters in GraphQL resolvers
🧯 If You Can't Patch
- Implement strict file system permissions to restrict write access to application directories only
- Deploy web application firewall (WAF) rules to block path traversal patterns in GraphQL requests
🔍 How to Verify
Check if Vulnerable:
Check if Erxes version is below 1.6.2 and test the importHistoriesCreate endpoint with path traversal payloads.Check Version:
Check package.json or run: node -e "console.log(require('./package.json').version)" in Erxes directoryVerify Fix Applied:
After updating to 1.6.2+, attempt to exploit the vulnerability with the same payloads and verify they are rejected.📡 Detection & Monitoring
Log Indicators:
- GraphQL queries with '../' sequences in importHistoriesCreate
- File write operations outside expected directories
- Unauthorized file modification attempts
Network Indicators:
- GraphQL requests with path traversal patterns in payloads
- Unusual file upload patterns to import endpoints
SIEM Query:
source="erxes" AND ("importHistoriesCreate" AND "../") OR ("path traversal" AND "GraphQL")