canto-saas-api: Authenticated API requests can be redirected via unencoded path variables
Description
Summary
In affected versions, Request::buildRequestUrl() inserts path variables into the request URL without URL encoding (implode('/', $pathVariables)). All request classes implementing getPathVariables() are affected, e.g. GetContentDetailsRequest (scheme, contentId).
If a consuming application passes untrusted input (such as an ID taken from an HTTP request parameter) as a path variable, characters like ../, ? or # are sent verbatim and can change the path of the resulting API request.
Impact
An attacker who controls a path variable value can redirect the library's authenticated request — the Bearer access token is attached in AbstractEndpoint::sendRequest() — to a different API endpoint of the same Canto instance, causing unintended reads or writes with the privileges of the configured app. The impact depends on how the consuming application sources path variable values; applications that only pass trusted, validated IDs are not exploitable.
Patches
Fixed in 3.0.0: every path segment is encoded with rawurlencode() before being inserted into the request URL.
Workarounds
If you cannot upgrade, validate untrusted values before passing them to request classes, e.g. enforce an allowlist pattern such as ^[A-Za-z0-9_-]+$ for content IDs and schemes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <= 2.0.0
Patches
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.