CVE-2018-1000023

Vulnerability

Bitpay/insight-api version 5.0.0 and earlier contains a CWE-20 input validation vulnerability in the transaction broadcast endpoint (/insight-api/tx/send). When unexpected or malformed data is sent to this endpoint, the error response includes the full server-side file system path, leading to Full Path Disclosure [1][2].

Exploitation

An attacker can exploit this by sending a crafted HTTP request to the POST /insight-api/tx/send endpoint with a malformed rawtx parameter (e.g., an object that lacks the expected string property). The server returns a JavaScript stack trace containing absolute file paths, as demonstrated in the GitHub issue [2]. No authentication or special privileges are required; the attack is performed via a standard web request [1][2].

Impact

Successful exploitation reveals the full absolute path to the application's installation directory and its internal file structure. This information aids an attacker in reconnaissance, potentially enabling targeted attacks against the underlying system, though it does not directly lead to code execution or data compromise [2].

Mitigation

The vulnerability is present in insight-api version 5.0.0 and earlier [1][4]. No official patched version has been identified in the references. As a workaround, ensure error messages returned to the client do not include internal stack traces or paths. The project may require upgrading to a newer version or applying a custom fix to the broadcastTX function [2].