TinaCMS Path Traversal Vulnerability in GraphQL Document Mutations

A path traversal vulnerability has been identified in TinaCMS versions prior to 2.1.2. The issue arises in the headless content management system's GraphQL API, where relative file paths used in document mutations are not properly validated. This lack of validation allows paths to escape the intended directory boundaries, enabling authenticated users with document mutation permissions to create, move, or delete files outside of designated collection directories. The vulnerability is exacerbated by the fact that all file operations are typically tracked in Git, making malicious changes visible and reversible.

Impact

Exploitation of this vulnerability allows authenticated users with document mutation permissions to create, move, or delete files outside of the intended collection boundaries. While such actions are tracked in Git and can be reverted, the ability to manipulate files outside of designated directories poses a risk, particularly if sensitive information is inadvertently accessed or modified.

Reproduction

The vulnerability can be reproduced by sending GraphQL mutations that include relative file paths with directory traversal sequences. For example, a 'createDocument' mutation can be used to create a file outside the collection directory by specifying a relative path that includes '../' sequences. Similarly, existing files can be moved outside the collection boundaries using the 'updateDocument' mutation, and files can be deleted from outside the collection using the 'deleteDocument' mutation.

Remediation

Users are advised to update TinaCMS to version 2.1.2 or later, where this vulnerability has been patched.