Skip to content

Commit 7e70bd9

Browse files
1 parent 7d47c66 commit 7e70bd9

2 files changed

Lines changed: 184 additions & 0 deletions

File tree

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3p34-w4f6-5xh2",
4+
"modified": "2026-06-26T20:56:26Z",
5+
"published": "2026-06-26T20:56:26Z",
6+
"aliases": [],
7+
"summary": "better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server",
8+
"details": "## Summary\nA directory traversal vulnerability exists in the production static file server of `better-helperjs` (`<= 3.0.5`). Attackers can read arbitrary files located in adjacent directory structures that share the same string prefix as the intended static root directory.\n\n## Details\nThe framework utilizes a custom static file server engine used when running in `NODE_ENV=production` (`src/ssr/site-server.ts`). Inside the `safeStaticPath()` method, the requested path is checked against the static root directory to prevent directory traversal out of the designated public folder.\n\nHowever, the validation uses `String.prototype.startsWith()`:\n```typescript\n const root = path.resolve(rootDir);\n const resolved = path.resolve(root, `.${decodedPath}`);\n \n if (!resolved.startsWith(root)) {\n return null;\n }\n```\nThis is logically flawed because `startsWith` evaluates plain strings rather than structural directory paths. If the application's assigned `rootDir` is `/app/dist/client`, and an attacker tries to access `/app/dist/client-secrets/database.sqlite`, the string `\"/app/dist/client-secrets/database.sqlite\"` successfully **starts with** `\"/app/dist/client\"`. \n\nBecause of this bypass, an attacker can read sensitive files stored inside any adjacent directory traversing through the parent, as long as the adjacent directory name begins with the exact same prefix as the target public directory.\n\n## Impact\n- **Severity:** High (7.5)\n- **Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`\n- **Affected Versions:** `<= 3.0.5`\n- **Patched Version:** `>= 3.0.6`\n\n## Proof of Concept\nTo reproduce this locally on a vulnerable installation:\n1. Assume the framework static configuration serves from a `.dist/client` directory.\n2. Build the project and create an adjacent prefix secret simulating sensitive deployment structure:\n ```bash\n npm run build\n mkdir -p dist/client-secrets\n echo \"EXPOSED_SECRET\" > dist/client-secrets/secret.txt\n ```\n3. Start the application in Production mode (`NODE_ENV=production tsx server.ts`).\n4. Using an HTTP client that doesn't pre-normalize `/../` paths (e.g., `netcat` or raw sockets), send a GET request spanning into the prefix-sharing adjacent folder:\n ```http\n GET /%2e%2e%2fclient-secrets/secret.txt HTTP/1.1\n Host: localhost:4174\n Connection: close\n ```\n5. The server incorrectly validates the path and responds with `HTTP/1.1 200 OK` exposing `EXPOSED_SECRET`.\n\n*(Note: Developer environment `npm run dev` servers are immune as static requests are handled defensively by Vite's Dev Middlewares. This vulnerability only triggers upon `production` starts).*\n\n## Remediation / Patches\nThe path validation block has been updated to mandate exact path separation bounds by enforcing `path.sep` onto the evaluated traversal string.\n```typescript\n // Enforces separator OR exact root matches preventing prefix extension\n if (!resolved.startsWith(root + path.sep) && resolved !== root) {\n return null;\n }\n```\n\n## Workarounds\nIf upgrading is temporarily impossible, users can safeguard their environment by ensuring no sensitive directories are deployed adjacent to their static build `client` directories sharing the identical word-prefix string.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "better-helperjs"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "3.0.6"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 3.0.5"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/Rigby-Foundation/BetterHelperjs/security/advisories/GHSA-3p34-w4f6-5xh2"
43+
},
44+
{
45+
"type": "PACKAGE",
46+
"url": "https://github.com/Rigby-Foundation/BetterHelperjs"
47+
}
48+
],
49+
"database_specific": {
50+
"cwe_ids": [
51+
"CWE-22"
52+
],
53+
"severity": "HIGH",
54+
"github_reviewed": true,
55+
"github_reviewed_at": "2026-06-26T20:56:26Z",
56+
"nvd_published_at": null
57+
}
58+
}
Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,126 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-pw9p-jvrm-f7rm",
4+
"modified": "2026-06-26T20:55:55Z",
5+
"published": "2026-06-26T20:55:55Z",
6+
"aliases": [
7+
"CVE-2026-48979"
8+
],
9+
"summary": "PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling",
10+
"details": "## Impact\n\n`Psl\\H2\\ServerConnection` does not validate that the total bytes received in DATA frames match the `content-length` header declared in the HEADERS frame, in violation of RFC 9113 §8.1.1.\n\nA malicious client can:\n- Send more DATA bytes than declared, smuggling additional content past application-level size limits.\n- Send fewer DATA bytes than declared and close the stream early, causing applications that trust the declared length to behave incorrectly.\n\nThe vulnerability is only reachable for consumers using `Psl\\H2\\ServerConnection` directly to accept untrusted client traffic. The high-level `Psl\\HTTP\\Server` is in active development and was not yet released at the time of this advisory; consumers of documented high-level PSL APIs are not affected.\n\n## Patches\n\nFixed in [6.1.2](https://github.com/php-standard-library/php-standard-library/releases/tag/6.1.2) and [6.2.1](https://github.com/php-standard-library/php-standard-library/releases/tag/6.2.1).\n\n- Parses and validates the `content-length` header on incoming HEADERS (server-side only — clients do not enforce this per RFC 9110 §9.3.2).\n- Tracks cumulative DATA frame payload length per stream.\n- Throws `StreamException` on mismatch or overflow.\n\nRegression tests landed in [#781](https://github.com/php-standard-library/php-standard-library/pull/781), 9 of the new tests fail against the pre-fix code, proving the validation boundary is enforced.\n\n## Workarounds\n\nNone at the protocol layer. Applications using `Psl\\H2\\ServerConnection` directly should upgrade.\n\n## Resources\n\n- RFC 9113 §8.1.1 (HTTP/2 request/response exchange)\n- RFC 9110 §8.6 (content-length header)\n- https://github.com/php-standard-library/php-standard-library/releases/tag/6.1.2\n- https://github.com/php-standard-library/php-standard-library/releases/tag/6.2.1",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "php-standard-library/h2"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.1.0"
29+
},
30+
{
31+
"fixed": "6.1.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "php-standard-library/h2"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "6.2.0"
48+
},
49+
{
50+
"fixed": "6.2.1"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "php-standard-library/php-standard-library"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "6.1.0"
67+
},
68+
{
69+
"fixed": "6.1.2"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Packagist",
78+
"name": "php-standard-library/php-standard-library"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "6.2.0"
86+
},
87+
{
88+
"fixed": "6.2.1"
89+
}
90+
]
91+
}
92+
]
93+
}
94+
],
95+
"references": [
96+
{
97+
"type": "WEB",
98+
"url": "https://github.com/php-standard-library/php-standard-library/security/advisories/GHSA-pw9p-jvrm-f7rm"
99+
},
100+
{
101+
"type": "ADVISORY",
102+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48979"
103+
},
104+
{
105+
"type": "PACKAGE",
106+
"url": "https://github.com/php-standard-library/php-standard-library"
107+
},
108+
{
109+
"type": "WEB",
110+
"url": "https://github.com/php-standard-library/php-standard-library/releases/tag/6.1.2"
111+
},
112+
{
113+
"type": "WEB",
114+
"url": "https://github.com/php-standard-library/php-standard-library/releases/tag/6.2.1"
115+
}
116+
],
117+
"database_specific": {
118+
"cwe_ids": [
119+
"CWE-444"
120+
],
121+
"severity": "HIGH",
122+
"github_reviewed": true,
123+
"github_reviewed_at": "2026-06-26T20:55:55Z",
124+
"nvd_published_at": "2026-06-17T21:16:23Z"
125+
}
126+
}

0 commit comments

Comments
 (0)