Path Traversal in ssr-pages
Description
A path traversal vulnerability in ssr-pages before 0.1.4 allows an attacker to read arbitrary files by providing a crafted svg property to the build(MessagePageOptions) function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in ssr-pages before 0.1.4 allows an attacker to read arbitrary files by providing a crafted `svg` property to the `build(MessagePageOptions)` function.
Vulnerability
In ssr-pages, an HTML page builder for server-side rendering, versions prior to 0.1.4 are vulnerable to a path traversal issue. The vulnerability occurs when untrusted input is supplied to the svg property as an argument to the build(MessagePageOptions) function. This allows an attacker to traverse directories and potentially read arbitrary files on the server. [1]
Exploitation
An attacker can exploit this by providing a malicious svg value containing path traversal sequences (e.g., ../) to the build function. No authentication or special privileges are mentioned; the attacker only needs to be able to supply input to the svg property. The exact sequence of steps is not detailed in the available reference, but the path traversal is triggered during the page building process. [1]
Impact
Successful exploitation could lead to unauthorized disclosure of sensitive files on the server, such as configuration files or source code, depending on the server's file system permissions. The impact is limited to information disclosure; no remote code execution or privilege escalation is indicated. [1]
Mitigation
The vulnerability is patched in version 0.1.4 of ssr-pages. Users should upgrade to this version or later. No workaround is known at the time of publication. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@finastra/ssr-pagesnpm | < 0.1.4 | 0.1.4 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-w6cx-qg2q-rvq8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24718ghsaADVISORY
- github.com/Finastra/ssr-pages/pull/1ghsax_refsource_MISCWEB
- github.com/Finastra/ssr-pages/pull/1/commits/c3e4c563384ae3ba3892f37dd190218577620780ghsax_refsource_MISCWEB
- github.com/Finastra/ssr-pages/security/advisories/GHSA-w6cx-qg2q-rvq8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.