Hexpm Path Traversal Vulnerability in Local Storage Backend

A path traversal vulnerability has been identified in the Hexpm package manager's local storage backend, specifically in versions from commit 931ee0e prior to commit 5d2ccd2. This vulnerability allows relative path traversal, enabling arbitrary file reads or writes within the permissions of the running process. The issue arises because user-controlled path parameters are not properly sanitized before being used as storage keys, allowing attackers to manipulate the paths and access unintended files. This vulnerability does not affect the production version of hex.pm, but it does impact self-hosted deployments using the local file storage backend, as well as development and test environments.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files outside the intended directory, potentially exposing sensitive information or allowing manipulation of critical files.

Reproduction

The vulnerability can be reproduced by uploading a file through the local storage backend using a path that includes '../' sequences to traverse directories. This can be done using the 'put' method of the 'Elixir.Hexpm.Store.Local' module. After uploading, the file can be accessed through the 'get' method, demonstrating the path traversal capability.

Remediation

Users can upgrade to the patched version available in commit 5d2ccd2. If an immediate upgrade is not possible, the local file store backend should be avoided in any exposed environment, and network access to the registry should be restricted when using the local backend. Production deployments should use object storage instead of the local filesystem store.