CVE-2023-39584: 
JavaScript vulnerability analysis and mitigation

Hexo up to version 7.0.0 (RC2) contains an arbitrary file read vulnerability identified as CVE-2023-39584. The vulnerability was discovered in July 2023 and affects the include_code tag functionality in the Hexo blog framework. The issue impacts all versions of Hexo up to and including version 7.0.0 RC2 (NVD).

The vulnerability exists in the include_code tag functionality where the security check intended to prevent directory traversal can be bypassed. While the code attempts to block paths containing '../', it fails to account for Windows-style directory traversal using backslashes ('..'), allowing attackers to bypass the protection mechanism. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD, GitHub Issue).

The vulnerability allows attackers to read arbitrary files on the system by exploiting the directory traversal weakness. On Windows systems, an attacker can use backslash-based paths (..) to traverse directories and access files outside the intended directory structure. While theoretically possible on Linux systems using '../' combinations, this has not been verified (GitHub Issue).

Users should upgrade to a patched version of Hexo when available. As a temporary workaround, careful validation of paths used in include_code tags should be implemented, blocking both forward slash and backslash-based directory traversal attempts (NVD).