Critical severityNVD Advisory· Published Dec 31, 2024· Updated Apr 15, 2026
CVE-2024-56198
CVE-2024-56198
Description
path-sanitizer is a simple lightweight npm package for sanitizing paths to prevent Path Traversal. Prior to 3.1.0, the filters can be bypassed using .=%5c which results in a path traversal. This vulnerability is fixed in 3.1.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
path-sanitizernpm | < 3.1.0 | 3.1.0 |
Patches
1b6d2319eac91Merge pull request #2 from cabraviva/dev
4 files changed · +80 −62
lib/index.test.ts+4 −0 modified@@ -192,4 +192,8 @@ describe('sanitize() - Vulnerability Tests', () => { it('Protects reported vulnerability #1', () => { expect(linuxSlash(join('/var/app-dir', sanitize("..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5cetc/passwd")))).not.toBe('/etc/passwd') }) + + it('Protects reported vulnerability #2', () => { + expect(linuxSlash(join('/var/app', sanitize("./../../test/../../../../../../../../../../etc/passwd")))).not.toBe('/etc/passwd') + }) })
lib/index.ts+14 −0 modified@@ -103,6 +103,20 @@ export default function sanitize(pathstr: string, options: SanitizeOptions = DEF // Replace double (back)slashes with a single slash sanitizedPath = sanitizedPath.replace(/[\/\\]+/g, '/') + // Replace /../ with / + sanitizedPath = sanitizedPath.replace(options.parentDirectoryRegEx, '/') + + // Remove ./ or / at start + while (sanitizedPath.startsWith('/') || sanitizedPath.startsWith('./') || sanitizedPath.endsWith('/..') || sanitizedPath.endsWith('/../') || sanitizedPath.startsWith('../') || sanitizedPath.startsWith('/../')) { + sanitizedPath = sanitizedPath.replace(/^\.\//g, '') // ^./ + sanitizedPath = sanitizedPath.replace(/^\//g, '') // ^/ + // Remove ../ | /../ at pos 0 and /.. | /../ at end + sanitizedPath = sanitizedPath.replace(/^[\/\\]\.\.[\/\\]/g, '/') + sanitizedPath = sanitizedPath.replace(/^\.\.[\/\\]/g, '/') + sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.$/g, '/') + sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.\/$/g, '/') + } + // Make sure out is not "." sanitizedPath = sanitizedPath.trim() === '.' ? '' : sanitizedPath
package.json+2 −2 modified@@ -20,8 +20,8 @@ "homepage": "https://github.com/cabraviva/path-sanitizer#readme", "types": "dist/index.d.ts", "devDependencies": { - "@types/node": "^22.9.3", + "@types/node": "^22.10.2", "typescript": "^5.7.2", - "vitest": "^2.1.5" + "vitest": "^2.1.8" } } \ No newline at end of file
pnpm-lock.yaml+60 −60 modified@@ -9,14 +9,14 @@ importers: .: devDependencies: '@types/node': - specifier: ^22.9.3 - version: 22.9.3 + specifier: ^22.10.2 + version: 22.10.2 typescript: specifier: ^5.7.2 version: 5.7.2 vitest: - specifier: ^2.1.5 - version: 2.1.5(@types/node@22.9.3) + specifier: ^2.1.8 + version: 2.1.8(@types/node@22.10.2) packages: @@ -254,14 +254,14 @@ packages: '@types/estree@1.0.6': resolution: {integrity: sha512-AYnb1nQyY49te+VRAVgmzfcgjYS91mY5P0TKUDCLEM+gNnA+3T6rWITXRLYCpahpqSQbN5cE+gHpnPyXjHWxcw==} - '@types/node@22.9.3': - resolution: {integrity: sha512-F3u1fs/fce3FFk+DAxbxc78DF8x0cY09RRL8GnXLmkJ1jvx3TtPdWoTT5/NiYfI5ASqXBmfqJi9dZ3gxMx4lzw==} + '@types/node@22.10.2': + resolution: {integrity: sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==} - '@vitest/expect@2.1.5': - resolution: {integrity: sha512-nZSBTW1XIdpZvEJyoP/Sy8fUg0b8od7ZpGDkTUcfJ7wz/VoZAFzFfLyxVxGFhUjJzhYqSbIpfMtl/+k/dpWa3Q==} + '@vitest/expect@2.1.8': + resolution: {integrity: sha512-8ytZ/fFHq2g4PJVAtDX57mayemKgDR6X3Oa2Foro+EygiOJHUXhCqBAAKQYYajZpFoIfvBCF1j6R6IYRSIUFuw==} - '@vitest/mocker@2.1.5': - resolution: {integrity: sha512-XYW6l3UuBmitWqSUXTNXcVBUCRytDogBsWuNXQijc00dtnU/9OqpXWp4OJroVrad/gLIomAq9aW8yWDBtMthhQ==} + '@vitest/mocker@2.1.8': + resolution: {integrity: sha512-7guJ/47I6uqfttp33mgo6ga5Gr1VnL58rcqYKyShoRK9ebu8T5Rs6HN3s1NABiBeVTdWNrwUMcHH54uXZBN4zA==} peerDependencies: msw: ^2.4.9 vite: ^5.0.0 @@ -271,20 +271,20 @@ packages: vite: optional: true - '@vitest/pretty-format@2.1.5': - resolution: {integrity: sha512-4ZOwtk2bqG5Y6xRGHcveZVr+6txkH7M2e+nPFd6guSoN638v/1XQ0K06eOpi0ptVU/2tW/pIU4IoPotY/GZ9fw==} + '@vitest/pretty-format@2.1.8': + resolution: {integrity: sha512-9HiSZ9zpqNLKlbIDRWOnAWqgcA7xu+8YxXSekhr0Ykab7PAYFkhkwoqVArPOtJhPmYeE2YHgKZlj3CP36z2AJQ==} - '@vitest/runner@2.1.5': - resolution: {integrity: sha512-pKHKy3uaUdh7X6p1pxOkgkVAFW7r2I818vHDthYLvUyjRfkKOU6P45PztOch4DZarWQne+VOaIMwA/erSSpB9g==} + '@vitest/runner@2.1.8': + resolution: {integrity: sha512-17ub8vQstRnRlIU5k50bG+QOMLHRhYPAna5tw8tYbj+jzjcspnwnwtPtiOlkuKC4+ixDPTuLZiqiWWQ2PSXHVg==} - '@vitest/snapshot@2.1.5': - resolution: {integrity: sha512-zmYw47mhfdfnYbuhkQvkkzYroXUumrwWDGlMjpdUr4jBd3HZiV2w7CQHj+z7AAS4VOtWxI4Zt4bWt4/sKcoIjg==} + '@vitest/snapshot@2.1.8': + resolution: {integrity: sha512-20T7xRFbmnkfcmgVEz+z3AU/3b0cEzZOt/zmnvZEctg64/QZbSDJEVm9fLnnlSi74KibmRsO9/Qabi+t0vCRPg==} - '@vitest/spy@2.1.5': - resolution: {integrity: sha512-aWZF3P0r3w6DiYTVskOYuhBc7EMc3jvn1TkBg8ttylFFRqNN2XGD7V5a4aQdk6QiUzZQ4klNBSpCLJgWNdIiNw==} + '@vitest/spy@2.1.8': + resolution: {integrity: sha512-5swjf2q95gXeYPevtW0BLk6H8+bPlMb4Vw/9Em4hFxDcaOxS+e0LOX4yqNxoHzMR2akEB2xfpnWUzkZokmgWDg==} - '@vitest/utils@2.1.5': - resolution: {integrity: sha512-yfj6Yrp0Vesw2cwJbP+cl04OC+IHFsuQsrsJBL9pyGeQXE56v1UAOQco+SR55Vf1nQzfV0QJg1Qum7AaWUwwYg==} + '@vitest/utils@2.1.8': + resolution: {integrity: sha512-dwSoui6djdwbfFmIgbIjX2ZhIoG7Ex/+xpxyiEgIGzjliY8xGkcpITKTlp6B4MgtGkF2ilvm97cPM96XZaAgcA==} assertion-error@2.0.1: resolution: {integrity: sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==} @@ -404,11 +404,11 @@ packages: engines: {node: '>=14.17'} hasBin: true - undici-types@6.19.8: - resolution: {integrity: sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==} + undici-types@6.20.0: + resolution: {integrity: sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==} - vite-node@2.1.5: - resolution: {integrity: sha512-rd0QIgx74q4S1Rd56XIiL2cYEdyWn13cunYBIuqh9mpmQr7gGS0IxXoP8R6OaZtNQQLyXSWbd4rXKYUbhFpK5w==} + vite-node@2.1.8: + resolution: {integrity: sha512-uPAwSr57kYjAUux+8E2j0q0Fxpn8M9VoyfGiRI8Kfktz9NcYMCenwY5RnZxnF1WTu3TGiYipirIzacLL3VVGFg==} engines: {node: ^18.0.0 || >=20.0.0} hasBin: true @@ -443,15 +443,15 @@ packages: terser: optional: true - vitest@2.1.5: - resolution: {integrity: sha512-P4ljsdpuzRTPI/kbND2sDZ4VmieerR2c9szEZpjc+98Z9ebvnXmM5+0tHEKqYZumXqlvnmfWsjeFOjXVriDG7A==} + vitest@2.1.8: + resolution: {integrity: sha512-1vBKTZskHw/aosXqQUlVWWlGUxSJR8YtiyZDJAFeW2kPAeX6S3Sool0mjspO+kXLuxVWlEDDowBAeqeAQefqLQ==} engines: {node: ^18.0.0 || >=20.0.0} hasBin: true peerDependencies: '@edge-runtime/vm': '*' '@types/node': ^18.0.0 || >=20.0.0 - '@vitest/browser': 2.1.5 - '@vitest/ui': 2.1.5 + '@vitest/browser': 2.1.8 + '@vitest/ui': 2.1.8 happy-dom: '*' jsdom: '*' peerDependenciesMeta: @@ -602,47 +602,47 @@ snapshots: '@types/estree@1.0.6': {} - '@types/node@22.9.3': + '@types/node@22.10.2': dependencies: - undici-types: 6.19.8 + undici-types: 6.20.0 - '@vitest/expect@2.1.5': + '@vitest/expect@2.1.8': dependencies: - '@vitest/spy': 2.1.5 - '@vitest/utils': 2.1.5 + '@vitest/spy': 2.1.8 + '@vitest/utils': 2.1.8 chai: 5.1.2 tinyrainbow: 1.2.0 - '@vitest/mocker@2.1.5(vite@5.4.11(@types/node@22.9.3))': + '@vitest/mocker@2.1.8(vite@5.4.11(@types/node@22.10.2))': dependencies: - '@vitest/spy': 2.1.5 + '@vitest/spy': 2.1.8 estree-walker: 3.0.3 magic-string: 0.30.13 optionalDependencies: - vite: 5.4.11(@types/node@22.9.3) + vite: 5.4.11(@types/node@22.10.2) - '@vitest/pretty-format@2.1.5': + '@vitest/pretty-format@2.1.8': dependencies: tinyrainbow: 1.2.0 - '@vitest/runner@2.1.5': + '@vitest/runner@2.1.8': dependencies: - '@vitest/utils': 2.1.5 + '@vitest/utils': 2.1.8 pathe: 1.1.2 - '@vitest/snapshot@2.1.5': + '@vitest/snapshot@2.1.8': dependencies: - '@vitest/pretty-format': 2.1.5 + '@vitest/pretty-format': 2.1.8 magic-string: 0.30.13 pathe: 1.1.2 - '@vitest/spy@2.1.5': + '@vitest/spy@2.1.8': dependencies: tinyspy: 3.0.2 - '@vitest/utils@2.1.5': + '@vitest/utils@2.1.8': dependencies: - '@vitest/pretty-format': 2.1.5 + '@vitest/pretty-format': 2.1.8 loupe: 3.1.2 tinyrainbow: 1.2.0 @@ -769,15 +769,15 @@ snapshots: typescript@5.7.2: {} - undici-types@6.19.8: {} + undici-types@6.20.0: {} - vite-node@2.1.5(@types/node@22.9.3): + vite-node@2.1.8(@types/node@22.10.2): dependencies: cac: 6.7.14 debug: 4.3.7 es-module-lexer: 1.5.4 pathe: 1.1.2 - vite: 5.4.11(@types/node@22.9.3) + vite: 5.4.11(@types/node@22.10.2) transitivePeerDependencies: - '@types/node' - less @@ -789,24 +789,24 @@ snapshots: - supports-color - terser - vite@5.4.11(@types/node@22.9.3): + vite@5.4.11(@types/node@22.10.2): dependencies: esbuild: 0.21.5 postcss: 8.4.49 rollup: 4.27.4 optionalDependencies: - '@types/node': 22.9.3 + '@types/node': 22.10.2 fsevents: 2.3.3 - vitest@2.1.5(@types/node@22.9.3): + vitest@2.1.8(@types/node@22.10.2): dependencies: - '@vitest/expect': 2.1.5 - '@vitest/mocker': 2.1.5(vite@5.4.11(@types/node@22.9.3)) - '@vitest/pretty-format': 2.1.5 - '@vitest/runner': 2.1.5 - '@vitest/snapshot': 2.1.5 - '@vitest/spy': 2.1.5 - '@vitest/utils': 2.1.5 + '@vitest/expect': 2.1.8 + '@vitest/mocker': 2.1.8(vite@5.4.11(@types/node@22.10.2)) + '@vitest/pretty-format': 2.1.8 + '@vitest/runner': 2.1.8 + '@vitest/snapshot': 2.1.8 + '@vitest/spy': 2.1.8 + '@vitest/utils': 2.1.8 chai: 5.1.2 debug: 4.3.7 expect-type: 1.1.0 @@ -817,11 +817,11 @@ snapshots: tinyexec: 0.3.1 tinypool: 1.0.2 tinyrainbow: 1.2.0 - vite: 5.4.11(@types/node@22.9.3) - vite-node: 2.1.5(@types/node@22.9.3) + vite: 5.4.11(@types/node@22.10.2) + vite-node: 2.1.8(@types/node@22.10.2) why-is-node-running: 2.3.0 optionalDependencies: - '@types/node': 22.9.3 + '@types/node': 22.10.2 transitivePeerDependencies: - less - lightningcss
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-94p5-r7cc-3rprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-56198ghsaADVISORY
- github.com/cabraviva/path-sanitizer/commit/b6d2319eac910dffdfacc8460f5b5cc5a1518eadnvdWEB
- github.com/cabraviva/path-sanitizer/security/advisories/GHSA-94p5-r7cc-3rprnvdWEB
- www.loom.com/share/b766ece5193842848ce7562fcd559256nvdWEB
News mentions
0No linked articles in our index yet.