Cyber Resilience

CVE-2024-48914

Critical

Published: 15 October 2024

Published
15 October 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.9250 99.8th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48914 is a critical-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Vendure is an open-source headless commerce platform whose asset server plugin is affected by CVE-2024-48914 prior to versions 3.0.5 and 2.3.3. The flaw stems from insufficient input validation that permits path traversal, allowing crafted requests to read arbitrary files on the server file system and also enabling a malformed URI to crash the server process. The issue is tracked under CWE-20 and CWE-22 and carries a CVSS 3.1 score of 9.1.

An unauthenticated remote attacker can exploit the vulnerability over the network by sending specially formed asset requests that traverse directories, retrieving sensitive configuration files, environment variables, or other data stored on the host. The same request path can be abused to terminate the server, resulting in denial of service.

The project security advisory and accompanying commits indicate that the fixes are included in releases 3.0.5 and 2.3.3. Recommended mitigations include migrating from local storage to an object store such as MinIO or S3, or adding middleware that blocks any request URL containing the sequence `/../`.

The associated EPSS score stands at 0.9250 with no material rise from a lower baseline.

EU & UK References

Vulnerability details

Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents…

more

of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing `/../`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-22

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References