CVE-2023-46493
Description
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in fileBrowser/browser.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal vulnerability in EverShop NPM package before v1.0.0-rc.8 allows remote attackers to read arbitrary files via crafted request to readDirSync.
Vulnerability
Overview CVE-2023-46493 is a directory traversal vulnerability in EverShop, an open-source e-commerce platform built with TypeScript. The flaw resides in the readDirSync function within fileBrowser/browser.js. Before version 1.0.0-rc.8, the application fails to properly sanitize user-supplied paths, enabling an attacker to traverse directories outside the intended root folder [1][3].
Exploitation
An attacker can exploit this vulnerability by sending a crafted request containing path traversal sequences (e.g., ../) to the readDirSync function. No authentication is required, and the attack can be carried out remotely over HTTP. The vulnerable endpoint is exposed as part of the file browser functionality [1][3].
Impact
Successful exploitation allows a remote attacker to read arbitrary files on the server, including sensitive configuration files, application source code, and potentially credentials. This could lead to further compromise of the application or underlying system [1][3]. The vulnerability is classified under CWE-22 (Path Traversal).
Mitigation
The vulnerability has been fixed in EverShop version 1.0.0-rc.8 and later. A pull request addressing the issue was merged into the main repository [4]. Users are advised to upgrade to the latest patched version immediately. No workarounds have been disclosed.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@evershop/evershopnpm | < 1.0.0-rc.8 | 1.0.0-rc.8 |
Affected products
2- EverShop/EverShop NPMdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-4wrm-qmq2-5fjxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46493ghsaADVISORY
- devhub.checkmarx.com/cve-details/CVE-2023-46493ghsaWEB
- devhub.checkmarx.com/cve-details/Cxa4d94170-be41ghsaWEB
- github.com/evershopcommerce/evershop/pull/338ghsaWEB
- devhub.checkmarx.com/cve-details/CVE-2023-46493/mitre
- devhub.checkmarx.com/cve-details/Cxa4d94170-be41/mitre
News mentions
0No linked articles in our index yet.