Vulnerability in Vendure's Asset Server Plugin Allows File Access and Server Crash
CVE-2024-48914

9.1CRITICAL

Key Information:

Vendor: Vendure-ecommerce
Status: Vendure
Vendor: CVE Published:; 15 October 2024

🔔 Create Vendure-ecommerce Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 90%

What is CVE-2024-48914?

The Vendure headless commerce platform has a vulnerability in its asset server plugin that affects versions prior to 3.0.5 and 2.3.3. An attacker can exploit this vulnerability by crafting a request that is capable of traversing the server's file system, enabling them to access arbitrary files. This includes potentially sensitive data such as configuration files, environment variables, and other critical information stored on the server. Additionally, the same code path provides an opportunity for causing server crashes through malformed URIs. It is recommended that users upgrade to the patched versions 3.0.5 or 2.3.3, or implement workarounds such as using object storage solutions like MinIO or S3, and defining middleware to block requests with URLs that contain sequences like '/../'.

Affected Version(s)

vendure < 2.3.3 < 2.3.3

vendure >= 3.0.0, < 3.0.5 < 3.0.0, 3.0.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-48914
Created by EQSTLab