CVE-2024-48914

Name of the Vulnerable Software and Affected Versions: Vendure versions prior to 3.0.5 and 2.3.3

Description: The issue in Vendure's asset server plugin allows an attacker to craft a request that can traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. Additionally, there is a vector for crashing the server via a malformed URI. This can lead to the disclosure of protected information or cause a denial of service.

Recommendations: For versions prior to 3.0.5 and 2.3.3, update to patched versions 3.0.5 or 2.3.3. As a temporary workaround, consider using object storage rather than the local file system, such as MinIO or S3. Define middleware that detects and blocks requests with URLs containing /../ to minimize the risk of exploitation.