GHSA-q324-q795-2q5p: 
JavaScript vulnerability analysis and mitigation

A path traversal vulnerability was discovered in the @redocly/openapi-cli npm package affecting versions >=1.0.0-beta.9 and <1.0.0-beta.59. The vulnerability was identified in the preview-docs command functionality and was disclosed on October 9, 2021. The issue specifically affects scenarios where the working directory contains files with question mark (?) characters in their names (GitHub Advisory).

The vulnerability exists in the preview server component of the preview-docs command. When processing URLs containing query parameters, the path.resolve() function incorrectly handles paths containing question marks, potentially allowing attackers to traverse directories and access files outside the intended directory structure. The issue was particularly exploitable when the working directory contained files with question marks in their names (Redocly PR).

When exploited, this vulnerability allows attackers to access and download arbitrary files from the server's filesystem, provided they know the file names and the working directory contains files with question marks. This could lead to unauthorized access to sensitive system files (GitHub Advisory).

The vulnerability was patched in version 1.0.0-beta.59 of @redocly/openapi-cli. For users unable to update immediately, the recommended workaround is to avoid running the openapi-cli preview-docs command in folders containing files with question marks in their names. The fix implements a more robust solution by checking if the file path is within the current working directory (GitHub Advisory).