VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 1, 2024· Updated May 15, 2025

Crafatar path traversal vulnerability

CVE-2024-24756

Description

Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the lib/public/ directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Crafatar path traversal allows reading files outside the public directory; fixed in v2.1.5.

Vulnerability

Crafatar 2.1.4 and earlier contains a path traversal vulnerability in its asset_request function, located in lib/server.js. The server uses url.parse() on the incoming request URL without resolving path sequences, then joins the path with the lib/public/ directory when reading files. This allows an attacker to include ../ sequences to escape the intended public directory and read arbitrary files on the filesystem [2][3].

Exploitation

An attacker can exploit this by sending a crafted HTTP GET request to the Crafatar server with a path containing ../ sequences, such as curl https://example.com/../server.js --path-as-is [3]. No authentication or special privileges are required, and the server must not be behind a reverse proxy like Cloudflare that blocks path traversal attempts [3].

Impact

On success, an attacker can read any file that the Crafatar process has read access to, including server-side source code, configuration files, and potentially sensitive data. In the default Docker container deployment, the attacker is limited to files within the container, which are not confidential by default [3]. However, instances not using Docker could expose more sensitive host files.

Mitigation

This vulnerability is patched in Crafatar version 2.1.5, released on 2024-02-01 [1][3]. Users should upgrade to 2.1.5 or later immediately [3]. Instances behind Cloudflare are not affected because Cloudflare blocks path traversal attempts. There is no other workaround; upgrading is the only complete mitigation [3].

References
  1. improve URL parsing · crafatar/crafatar@bba004a
  2. crafatar/lib/server.js at e0233f2899a3206a817d2dd3b80da83d51c7a726 · crafatar/crafatar
  3. Path traversal vulnerability

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • crafatar/crafatarllm-create2 versions
    <2.1.5+ 1 more
    • (no CPE)range: <2.1.5
    • (no CPE)range: < 2.1.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.