High severityNVD Advisory· Published Nov 1, 2024· Updated Apr 15, 2026
CVE-2024-49770
CVE-2024-49770
Description
oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default oak does not allow transferring of hidden files with Context.send API. However, prior to version 17.1.3, this can be bypassed by encoding / as its URL encoded form %2F. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@oakserver/oaknpm | <= 14.1.0 | — |
Patches
2dcc1aa92775f4b2f27efd5cbfix: decode path to avoid bypassing security checks
2 files changed · +21 −3
send.test.ts+19 −1 modified@@ -1,6 +1,10 @@ // Copyright 2018-2024 the oak authors. All rights reserved. MIT license. -import { assertEquals, assertStrictEquals } from "./deps_test.ts"; +import { + assertEquals, + assertRejects, + assertStrictEquals, +} from "./deps_test.ts"; import { createMockApp, createMockContext, @@ -13,6 +17,7 @@ import { assert, errors, eTag } from "./deps.ts"; import type { RouteParams } from "./router.ts"; import { send } from "./send.ts"; import { isNode } from "./utils/type_guards.ts"; +import { httpErrors } from "./mod.ts"; function setup< // deno-lint-ignore no-explicit-any @@ -482,3 +487,16 @@ Deno.test({ context.response.destroy(); }, }); + +Deno.test({ + name: "send - security - decoding paths to subvert checks", + async fn() { + const { context } = setup("/poc%2f../.test.json"); + await assertRejects(async () => { + await send(context, context.request.url.pathname, { + root: "./fixtures", + hidden: false, + }); + }, httpErrors.NotFound); + }, +});
send.ts+2 −2 modified@@ -30,7 +30,7 @@ import { } from "./deps.ts"; import type { Response } from "./response.ts"; import { isNode } from "./utils/type_guards.ts"; -import { decodeComponent } from "./utils/decode_component.ts"; +import { decode } from "./utils/decode.ts"; import { resolvePath } from "./utils/resolve_path.ts"; if (isNode()) { @@ -179,7 +179,7 @@ export async function send( root, } = options; const trailingSlash = path[path.length - 1] === "/"; - path = decodeComponent(path.substring(parse(path).root.length)); + path = decode(path.substring(parse(path).root.length)); if (index && trailingSlash) { path += index; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qm92-93fv-vh7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-49770ghsaADVISORY
- github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.tsnvdWEB
- github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.tsnvdWEB
- github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209nvdWEB
- github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7mnvdWEB
News mentions
0No linked articles in our index yet.