CVE-2024-49770

Name of the Vulnerable Software and Affected Versions: oak versions prior to 17.1.3

Description: The issue allows an attacker to bypass the default restriction on transferring hidden files using the Context.send API by encoding / as its URL encoded form %2F. This can potentially lead to reading sensitive user data or gaining access to server secrets. The isHidden function is flawed, as it only checks if the first subpath is hidden, allowing secrets to be read from subdir/.env. The vulnerability can be exploited by using API endpoints such as /poc%2f../.env or /poc%2f../.git/config to access sensitive files.

Recommendations: For versions prior to 17.1.3, update to version 17.1.3 to fix the issue. As a temporary workaround, consider restricting access to the Context.send API or disabling the isHidden function until a patch is available. Avoid using the decodeComponent function to decode URLs, as it may allow an attacker to bypass the restriction on transferring hidden files.