CVE-2024-56198: 
JavaScript vulnerability analysis and mitigation

path-sanitizer is a simple lightweight npm package designed for sanitizing paths to prevent Path Traversal attacks. A critical vulnerability was discovered in versions prior to 3.1.0, where the path sanitization filters could be bypassed using the sequence '.=%5c', resulting in a path traversal vulnerability. This security flaw was assigned CVE-2024-56198 and was fixed in version 3.1.0 (GitHub Advisory).

The vulnerability exists in the path sanitization logic where the filters can be bypassed using special character sequences. Specifically, using '.=%5c' in the path allows an attacker to perform directory traversal, effectively bypassing the intended security controls. The vulnerability has been assigned a CVSS v4.0 base score of 9.3 CRITICAL with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (NVD).

The vulnerability allows attackers to traverse directory structures outside of the intended directory scope. Any CLI tool or library using this package could be vulnerable to path traversal attacks, potentially enabling unauthorized access to files and directories outside the intended directory structure (GitHub Advisory).

The vulnerability has been fixed in version 3.1.0 of the path-sanitizer package. Users are strongly advised to upgrade to this version or later to address the security issue. The fix includes improved path sanitization logic to prevent the bypass technique (GitHub Advisory).