Moderate severityNVD Advisory· Published Jan 7, 2019· Updated Aug 5, 2024

CVE-2018-11798

Description

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Thrift Node.js static web server 0.9.2-0.11.0 allows remote file access outside the docroot due to improper path sanitization.

Vulnerability

The Apache Thrift Node.js static web server, versions 0.9.2 through 0.11.0, contains a path traversal vulnerability in the file serving functionality. The server fails to properly sanitize file paths, allowing requests to escape the configured document root directory. This affects the TWebServer or similar component used for serving static files. [1][3][4]

Exploitation

An unauthenticated remote attacker can send HTTP requests with crafted path sequences (e.g., ../) to traverse directories outside the intended web root. No special privileges or user interaction is required; the attacker only needs network access to the vulnerable server. [1][4]

Impact

Successful exploitation allows the attacker to read arbitrary files from the server's filesystem that are accessible to the Thrift process. This can lead to disclosure of sensitive information such as configuration files, source code, or other data. The confidentiality of the system is compromised. [2][3]

Mitigation

The vulnerability is fixed in Apache Thrift version 0.12.0. Users should upgrade to 0.12.0 or later. For Red Hat JBoss Data Virtualization, the fix is included in version 6.4.8 (RHSA-2019:3140). No workarounds are documented; upgrading is the recommended action. [1][2][4]

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.thrift:libthriftMaven	>= 0.9.2, < 0.12.0	0.12.0

Affected products

136

osv-coords135 versions
pkg:apk/chainguard/trino pkg:apk/chainguard/trino-config pkg:apk/chainguard/trino-oci-entrypoint pkg:apk/chainguard/trino-plugin-accumulo pkg:apk/chainguard/trino-plugin-ai-functions pkg:apk/chainguard/trino-plugin-atop pkg:apk/chainguard/trino-plugin-bigquery pkg:apk/chainguard/trino-plugin-blackhole pkg:apk/chainguard/trino-plugin-cassandra pkg:apk/chainguard/trino-plugin-clickhouse pkg:apk/chainguard/trino-plugin-delta-lake pkg:apk/chainguard/trino-plugin-druid pkg:apk/chainguard/trino-plugin-duckdb pkg:apk/chainguard/trino-plugin-elasticsearch pkg:apk/chainguard/trino-plugin-example-http pkg:apk/chainguard/trino-plugin-exasol pkg:apk/chainguard/trino-plugin-exchange-filesystem pkg:apk/chainguard/trino-plugin-exchange-hdfs pkg:apk/chainguard/trino-plugin-faker pkg:apk/chainguard/trino-plugin-functions-python pkg:apk/chainguard/trino-plugin-geospatial pkg:apk/chainguard/trino-plugin-google-sheets pkg:apk/chainguard/trino-plugin-hive pkg:apk/chainguard/trino-plugin-http-event-listener pkg:apk/chainguard/trino-plugin-http-server-event-listener pkg:apk/chainguard/trino-plugin-hudi pkg:apk/chainguard/trino-plugin-iceberg pkg:apk/chainguard/trino-plugin-ignite pkg:apk/chainguard/trino-plugin-jmx pkg:apk/chainguard/trino-plugin-kafka pkg:apk/chainguard/trino-plugin-kafka-event-listener pkg:apk/chainguard/trino-plugin-kinesis pkg:apk/chainguard/trino-plugin-kudu pkg:apk/chainguard/trino-plugin-lakehouse pkg:apk/chainguard/trino-plugin-ldap-group-provider pkg:apk/chainguard/trino-plugin-local-file pkg:apk/chainguard/trino-plugin-loki pkg:apk/chainguard/trino-plugin-mariadb pkg:apk/chainguard/trino-plugin-memory pkg:apk/chainguard/trino-plugin-ml pkg:apk/chainguard/trino-plugin-mongodb pkg:apk/chainguard/trino-plugin-mysql pkg:apk/chainguard/trino-plugin-mysql-event-listener pkg:apk/chainguard/trino-plugin-opa pkg:apk/chainguard/trino-plugin-openlineage pkg:apk/chainguard/trino-plugin-opensearch pkg:apk/chainguard/trino-plugin-oracle pkg:apk/chainguard/trino-plugin-password-authenticators pkg:apk/chainguard/trino-plugin-phoenix5 pkg:apk/chainguard/trino-plugin-pinot pkg:apk/chainguard/trino-plugin-postgresql pkg:apk/chainguard/trino-plugin-prometheus pkg:apk/chainguard/trino-plugin-ranger pkg:apk/chainguard/trino-plugin-raptor-legacy pkg:apk/chainguard/trino-plugin-redis pkg:apk/chainguard/trino-plugin-redshift pkg:apk/chainguard/trino-plugin-resource-group-managers pkg:apk/chainguard/trino-plugin-session-property-managers pkg:apk/chainguard/trino-plugin-singlestore pkg:apk/chainguard/trino-plugin-snowflake pkg:apk/chainguard/trino-plugin-spooling-filesystem pkg:apk/chainguard/trino-plugin-sqlserver pkg:apk/chainguard/trino-plugin-teradata-functions pkg:apk/chainguard/trino-plugin-thrift pkg:apk/chainguard/trino-plugin-tpcds pkg:apk/chainguard/trino-plugin-tpch pkg:apk/chainguard/trino-plugin-vertica pkg:apk/wolfi/trino pkg:apk/wolfi/trino-config pkg:apk/wolfi/trino-oci-entrypoint pkg:apk/wolfi/trino-plugin-accumulo pkg:apk/wolfi/trino-plugin-ai-functions pkg:apk/wolfi/trino-plugin-atop pkg:apk/wolfi/trino-plugin-bigquery pkg:apk/wolfi/trino-plugin-blackhole pkg:apk/wolfi/trino-plugin-cassandra pkg:apk/wolfi/trino-plugin-clickhouse pkg:apk/wolfi/trino-plugin-delta-lake pkg:apk/wolfi/trino-plugin-druid pkg:apk/wolfi/trino-plugin-duckdb pkg:apk/wolfi/trino-plugin-elasticsearch pkg:apk/wolfi/trino-plugin-example-http pkg:apk/wolfi/trino-plugin-exasol pkg:apk/wolfi/trino-plugin-exchange-filesystem pkg:apk/wolfi/trino-plugin-exchange-hdfs pkg:apk/wolfi/trino-plugin-faker pkg:apk/wolfi/trino-plugin-functions-python pkg:apk/wolfi/trino-plugin-geospatial pkg:apk/wolfi/trino-plugin-google-sheets pkg:apk/wolfi/trino-plugin-hive pkg:apk/wolfi/trino-plugin-http-event-listener pkg:apk/wolfi/trino-plugin-http-server-event-listener pkg:apk/wolfi/trino-plugin-hudi pkg:apk/wolfi/trino-plugin-iceberg pkg:apk/wolfi/trino-plugin-ignite pkg:apk/wolfi/trino-plugin-jmx pkg:apk/wolfi/trino-plugin-kafka pkg:apk/wolfi/trino-plugin-kafka-event-listener pkg:apk/wolfi/trino-plugin-kinesis pkg:apk/wolfi/trino-plugin-kudu pkg:apk/wolfi/trino-plugin-lakehouse pkg:apk/wolfi/trino-plugin-ldap-group-provider pkg:apk/wolfi/trino-plugin-local-file pkg:apk/wolfi/trino-plugin-loki pkg:apk/wolfi/trino-plugin-mariadb pkg:apk/wolfi/trino-plugin-memory pkg:apk/wolfi/trino-plugin-ml pkg:apk/wolfi/trino-plugin-mongodb pkg:apk/wolfi/trino-plugin-mysql pkg:apk/wolfi/trino-plugin-mysql-event-listener pkg:apk/wolfi/trino-plugin-opa pkg:apk/wolfi/trino-plugin-openlineage pkg:apk/wolfi/trino-plugin-opensearch pkg:apk/wolfi/trino-plugin-oracle pkg:apk/wolfi/trino-plugin-password-authenticators pkg:apk/wolfi/trino-plugin-phoenix5 pkg:apk/wolfi/trino-plugin-pinot pkg:apk/wolfi/trino-plugin-postgresql pkg:apk/wolfi/trino-plugin-prometheus pkg:apk/wolfi/trino-plugin-ranger pkg:apk/wolfi/trino-plugin-raptor-legacy pkg:apk/wolfi/trino-plugin-redis pkg:apk/wolfi/trino-plugin-redshift pkg:apk/wolfi/trino-plugin-resource-group-managers pkg:apk/wolfi/trino-plugin-session-property-managers pkg:apk/wolfi/trino-plugin-singlestore pkg:apk/wolfi/trino-plugin-snowflake pkg:apk/wolfi/trino-plugin-spooling-filesystem pkg:apk/wolfi/trino-plugin-sqlserver pkg:apk/wolfi/trino-plugin-teradata-functions pkg:apk/wolfi/trino-plugin-thrift pkg:apk/wolfi/trino-plugin-tpcds pkg:apk/wolfi/trino-plugin-tpch pkg:apk/wolfi/trino-plugin-vertica pkg:maven/org.apache.thrift/libthrift
< 440-r0+ 134 more
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: < 440-r0
- (no CPE)range: >= 0.9.2, < 0.12.0
Apache Software Foundation/Apache Thriftv5
Range: Apache Thrift 0.9.2 to 0.11.0

Patches

2a2b72f6c8ae

Thrift-4647: Node.js Filesever webroot fixed path

https://github.com/apache/thriftjfarrellOct 5, 2018via ghsa

commit

3 files changed · +11 −3

lib/js/test/server_http.js+1 −1 modified

@@ -42,7 +42,7 @@ const ThriftTestSvcOpt = {
 };
 
 const ThriftWebServerOptions = {
-	files: '.',
+	files: __dirname,
 	services: {
 		'/service': ThriftTestSvcOpt
 	}

lib/js/test/server_https.js+1 −1 modified

@@ -42,7 +42,7 @@ const ThriftTestSvcOpt = {
 };
 
 const ThriftWebServerOptions = {
-  files: '.',
+  files: __dirname,
   tls: {
      key: fs.readFileSync('../../../test/keys/server.key'),
      cert: fs.readFileSync('../../../test/keys/server.crt')

lib/nodejs/lib/thrift/web_server.js+9 −1 modified

@@ -415,7 +415,15 @@ exports.createWebServer = function(options) {
 
     //Locate the file requested and send it
     var uri = url.parse(request.url).pathname;
-    var filename = path.join(baseDir, uri);
+    var filename = path.resolve(path.join(baseDir, uri));
+
+    //Ensure the basedir path is not able to be escaped
+    if (filename.indexOf(baseDir) != 0) {
+      response.writeHead(400, "Invalid request path", {});
+      response.end();
+      return;
+    }
+
     fs.exists(filename, function(exists) {
       if(!exists) {
         response.writeHead(404);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2019:1545ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3140ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-vx85-mj8c-4qm6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-11798ghsaADVISORY
www.securityfocus.com/bid/106501mitrevdb-entryx_refsource_BID
github.com/apache/thrift/commit/2a2b72f6c8aef200ecee4984f011e06052288ff2ghsaWEB
github.com/apache/thrift/pull/1606ghsaWEB
issues.apache.org/jira/browse/THRIFT-4647ghsaWEB
lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd%40%3Cuser.thrift.apache.org%3Emitrex_refsource_MISC
lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd@%3Cuser.thrift.apache.org%3EghsaWEB
web.archive.org/web/20200227094236/http://www.securityfocus.com/bid/106501ghsaWEB
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000