CVE-2023-46496
Description
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in EverShop before v.1.0.0-rc.8 allows unauthenticated attackers to delete arbitrary files via the DELETE verb on /api/files.
Root
Cause
EverShop NPM versions prior to v.1.0.0-rc.8 contain a directory traversal vulnerability (CWE-23) in the file deletion endpoint. The function unlinkSync in deleteFile.js fails to properly validate user-supplied path components, allowing .. sequences to escape the intended upload directory [3].
Attack
Vector
A remote attacker can send a crafted DELETE request to the /api/files endpoint without requiring authentication. By manipulating the filename parameter to include relative path traversals (e.g., ../../../etc/passwd), the attacker can reference files outside the restricted storage folder [1][3].
Impact
Successful exploitation enables arbitrary file deletion on the server's filesystem. This goes beyond simple information disclosure because the unlinkSync call removes the target file, potentially disrupting the application, deleting configuration files, or causing data loss [3]. The official CVE description notes that sensitive information may also be obtained, though the primary consequence is file removal [1].
Mitigation
The vulnerability has been patched in EverShop v.1.0.0-rc.8. The fix was introduced via pull request #338, which added input sanitization to prevent path traversal attacks [4]. Users should upgrade to the latest version immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@evershop/evershopnpm | < 1.0.0-rc.8 | 1.0.0-rc.8 |
Affected products
2- EverShop/EverShop NPMdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-rwf3-w4jq-f4cmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46496ghsaADVISORY
- devhub.checkmarx.com/cve-details/CVE-2023-46496ghsaWEB
- devhub.checkmarx.com/cve-details/Cx943be66a-54ccghsaWEB
- github.com/evershopcommerce/evershop/pull/338ghsaWEB
- devhub.checkmarx.com/cve-details/CVE-2023-46496/mitre
- devhub.checkmarx.com/cve-details/Cx943be66a-54cc/mitre
News mentions
0No linked articles in our index yet.