CVE-2018-3744

Vulnerability

The html-pages Node.js module contains a path traversal vulnerability that enables an attacker to read any file from the server using cURL. All versions up to and including 2.1.2 are affected [2]. The vulnerability resides in the way the module handles file paths, allowing traversal outside the intended directory. No specific configuration is required for the vulnerable code path to be reachable; the default behavior exposes this flaw [1][2].

Exploitation

An attacker does not need authentication or a privileged network position to exploit this vulnerability. The attacker can craft a request with a path traversal sequence (such as ../) in the URL. By using cURL or similar tools, the attacker can request arbitrary files from the server's filesystem. No user interaction is required, and the exploitation can be performed remotely over the network [1][2].

Impact

Successful exploitation results in information disclosure. An attacker can read any file on the server that the Node.js process has access to, potentially exposing sensitive data such as configuration files, credentials, or source code. The integrity and availability of the system are not directly compromised, but the confidentiality breach can lead to further attacks [1][2].

Mitigation

The vulnerability is addressed in a fix that was not publicly released at the time of disclosure. The project maintainer was unresponsive, and the package may be considered unmaintained. No official patched version exists in the npm registry [2][3]. As a workaround, users should avoid using the html-pages module or implement input validation and sanitization to prevent path traversal characters in file requests. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.