Client-Side Path Traversal Across Major Frontend Frameworks

The Critical Thinking Podcast article presents a comprehensive study of Client-Side Path Traversal (CSPT) vulnerabilities across eight frontend frameworks: React, Next.js, Vue, Nuxt, Angular, Ember, SvelteKit, and SolidStart. The core problem: client-side routers decode URL parameters when extracting them from the path, and if a developer concatenates the decoded value into a fetch() call, client-side path traversal occurs.

During the research, a 0-day gadget was discovered in React Router: the matchPath function replaces %2F with / without the case-insensitive flag, causing %252F (uppercase F) to result in path traversal while %252f (lowercase) does not.

The article also describes a real-world attack chain against a home automation platform (XSS via staging → postMessage to AI → disabling the alarm system), a step-by-step CSPT testing methodology, and a WAF bypass technique leveraging how fetch() handles tab characters.

📎 Article: https://blog.criticalthinkingpodcast.io/p/hackernotes-ep-168-client-side-path-traversals-across-every-framework-with-xssdoctor