Mammoth Directory Traversal Vulnerability Allowing Arbitrary File Read and Denial-of-Service

A directory traversal vulnerability has been identified in the Mammoth library, specifically in versions prior to 1.11.0. This vulnerability arises from inadequate validation of file paths and types when processing DOCX files that contain images linked externally via the 'r:link' attribute, rather than embedded. The library resolves these URIs to file paths and reads the files without proper validation. The extracted content is then encoded in base64 and included in the HTML output as a data URI. This flaw enables attackers to read arbitrary files from the system where the conversion takes place. Additionally, by crafting a DOCX file that links to certain device files like '/dev/random' or '/dev/zero', an attacker can cause excessive resource consumption, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability allows for arbitrary file reading, including sensitive files like '/etc/passwd' or '/proc/self/environ', and causes denial-of-service by exhausting system resources or crashing the process that performs the DOCX conversion.

Reproduction

To reproduce this vulnerability, create a DOCX file that includes an image linked via the 'r:link' attribute to a sensitive file, such as '/etc/passwd'. When this file is processed by the Mammoth library, the contents of the linked file will be included in the output HTML. Alternatively, link to a device file like '/dev/random' to create a denial-of-service condition by causing the conversion process to hang indefinitely.

Remediation

Users are advised to upgrade to Mammoth version 1.11.0 or higher, which disables external file access by default.