CVE-2024-49770: 
JavaScript vulnerability analysis and mitigation

CVE-2024-49770 affects oak, a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. The vulnerability was discovered and disclosed on November 1, 2024. By default, oak does not allow transferring of hidden files with Context.send API, however, prior to version 17.1.3, this protection could be bypassed by encoding / as its URL encoded form %2F (GitHub Advisory).

The vulnerability stems from two key issues: First, oak uses decodeComponent which behaves unexpectedly, making it impossible to access files containing URL encoded characters unless the client URL encodes it first. Second, the isHidden function is flawed as it only checks if the first subpath is hidden, allowing access to secrets in subdirectories like subdir/.env. The vulnerability has been assigned a CVSS v4.0 score of 7.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability allows attackers to potentially read sensitive user data or gain access to server secrets within the served root directory. An attacker can bypass the hidden file transfer restriction and access sensitive files like .env or .git/config files that are normally protected (GitHub Advisory).

The vulnerability has been fixed in oak version 17.1.3. Users are advised to upgrade to this version or later to address the security issue. The fix involves properly decoding paths to prevent bypassing security checks (Oak Commit).