Description

ExpressJs used with Handlebars as templating engine (invoked via hbs view engine) is vulnerable to a Local File Read vulnerabilty that allows an attacker to read arbitrary files using the layout parameter. The vulnerability appears when code like the example below is used: 

var express = require('express');
var router = express.Router();

router.get('/', function(req, res, next) {
 	res.render('index')
});

router.post('/', function(req, res, next) {
	var profile = req.body.profile
 	res.render('index', profile)
});

module.exports = router;
The problem lies with the following line of code: 
res.render('index', profile)
.

Remediation

Use the code pattern 

res.render('index', { profile })
instead of 
res.render('index', profile)

References

The Secret Parameter, LFR, and Potential RCE in NodeJS Apps

Related Vulnerabilities

PrestaShop Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2023-39528)

WordPress Plugin WP-Lister Lite for Amazon Directory Traversal (0.9.6.35)

WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.18)

Sqlite Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2008-6590)

WordPress Plugin Aspose Importer & Exporter Arbitrary File Download (2.0)

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal