VYPR
← All advisories
High severityOSV Advisory· Published Feb 18, 2019· Updated Aug 4, 2024

CVE-2019-8903

CVE-2019-8903

Description

index.js in Total.js Platform before 3.2.3 allows path traversal.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Total.js Platform before 3.2.3 allows path traversal via index.js due to insufficient input sanitization.

Vulnerability

A path traversal vulnerability exists in index.js of Total.js Platform versions before 3.2.3. The insufficient sanitization of URL paths allows an attacker to use relative path sequences (e.g., ../) to escape the intended /public directory and access arbitrary files on the server, limited to certain file extensions. The affected versions include all releases prior to 3.2.3 [1][3].

Exploitation

An attacker can exploit this by crafting a URL with directory traversal patterns like ../ to navigate outside the web root. The request does not require authentication or special privileges; only network access to the server is needed. The vulnerable code in earlier versions used a regex (REG_TRAVEL) that was insufficiently robust, which could be bypassed [4].

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's filesystem, restricted to a set of common file extensions (e.g., .jpg, .js, .txt, .xml, .pdf, .json, etc.). This can lead to information disclosure, including source code, configuration files, or other sensitive data, potentially facilitating further attacks.

Mitigation

Fixed in Total.js Platform version 3.2.3. Users should upgrade to 3.2.3 or later. For older major versions, GitHub Advisory GHSA-3q32-j57w-q4w7 recommends upgrading to specific fixed versions (e.g., 2.1.1, 2.2.1, 2.9.5, 3.0.1, etc.) [3]. A commit (c37cafb) demonstrates the patch that replaces the flawed regex with a proper traversal removal loop [4].

References
  1. NVD - CVE-2019-8903
  2. CVE-2019-8903 - GitHub Advisory Database
  3. Improved security. · totaljs/framework@c37cafb

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
total.jsnpm
< 3.2.33.2.3

Affected products

2

Patches

2
de16238d1384

Fixed again a critical bug with path travel...

https://github.com/totaljs/frameworkPeter ŠirkaFeb 14, 2019via ghsa
commit
2 files changed · +8 4
  • index.js+7 3 modified
    @@ -7387,9 +7387,13 @@ F.$requestcontinue = function(req, res, headers) {
 
 		// Stops path travelsation outside of "public" directory
 		// A potential security issue
-		if (req.uri.pathname.indexOf('./') !== -1) {
-			req.$total_status(404);
-			return;
+		for (var i = 0; i < req.uri.pathname.length; i++) {
+			var c = req.uri.pathname[i];
+			var n = req.uri.pathname[i + 1];
+			if ((c === '.' && n === '/') || (c === '%' && n === '2' && req.uri.pathname[i + 2] === 'e')) {
+				req.$total_status(404);
+				return;
+			}
 		}
 
 		F.stats.request.file++;
  • package.json+1 1 modified
    @@ -99,7 +99,7 @@
         "name": "Sarp Aykent",
         "email": "shackhers@gmail.com"
     }],
-    "version": "3.2.2",
+    "version": "3.2.3",
     "homepage": "http://www.totaljs.com",
     "bugs": {
         "url": "https://github.com/totaljs/framework/issues",
c37cafbf3e37

Improved security.

https://github.com/totaljs/frameworkPeter ŠirkaFeb 13, 2019via ghsa
commit
2 files changed · +14 3
  • index.js+13 2 modified
    @@ -68,7 +68,6 @@ const REG_ENCODINGCLEANER = /[;\s]charset=utf-8/g;
 const REG_SKIPERROR = /epipe|invalid\sdistance/i;
 const REG_OLDCONF = /-/g;
 const REG_UTF8 = /[^\x20-\x7E]+/;
-const REG_TRAVEL = /(\/)?\.\.\//g;
 const FLAGS_INSTALL = ['get'];
 const FLAGS_DOWNLOAD = ['get', 'dnscache'];
 const QUERYPARSEROPTIONS = { maxKeys: 33 };
@@ -7327,7 +7326,19 @@ F.listener = function(req, res) {
 	var headers = req.headers;
 	req.$protocol = ((req.connection && req.connection.encrypted) || ((headers['x-forwarded-proto'] || ['x-forwarded-protocol']) === 'https')) ? 'https' : 'http';
 
-	req.url = req.url.replace(REG_TRAVEL, '');
+	var beg = 0;
+
+	// Removes directory browsing
+	for (var i = 0; i < req.url.length; i++) {
+		if (req.url[i] === '.' && req.url[i + 1] === '/')
+			beg = i + 1;
+		else if (req.url[i] === '?')
+			break;
+	}
+
+	if (beg)
+		req.url = req.url.substring(beg);
+
 	req.uri = framework_internal.parseURI(req);
 
 	F.stats.request.request++;
  • package.json+1 1 modified
    @@ -99,7 +99,7 @@
         "name": "Sarp Aykent",
         "email": "shackhers@gmail.com"
     }],
-    "version": "3.2.0",
+    "version": "3.2.1",
     "homepage": "http://www.totaljs.com",
     "bugs": {
         "url": "https://github.com/totaljs/framework/issues",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.