CVE-2018-3766

Vulnerability

A path traversal vulnerability exists in the buttle module for Node.js, affecting all versions up to and including 0.2.0. The module fails to properly sanitize user-supplied input when resolving file paths, allowing an attacker to navigate outside the intended directory. Official sources indicate that versions <= 0.2.0 are affected [1][2].

Exploitation

An attacker can exploit this by sending a crafted HTTP request containing path traversal sequences (e.g., ../) to the endpoint that serves static files or uses file path resolution provided by the buttle module. No authentication is required, and the attack can be performed remotely over the network. The vulnerability is publicly documented in a HackerOne report (ID 358112) [2].

Impact

Successful exploitation allows an attacker to read the contents of any file on the server filesystem that the web server process has access to. This can lead to disclosure of sensitive information such as configuration files, source code, or database credentials. The impact is limited to file disclosure; full read access is granted but the vector does not provide write capabilities [1][2].

Mitigation

No official fix or patched version of the buttle module has been released. The module may be considered unmaintained or end-of-life. Users should remove or replace the buttle module with an actively maintained alternative that properly validates file paths. If immediate removal is not possible, consider implementing a reverse proxy or request filtering to block path traversal patterns [1][2].