TinaCMS Path Traversal Vulnerability in Media Endpoints Allowing Arbitrary File Access

A path traversal vulnerability has been identified in the TinaCMS CLI development server, prior to version 2.1.8. The issue arises in media endpoints that improperly handle user-controlled path segments, allowing attackers to read, write, or delete arbitrary files on the filesystem outside the designated media directory. This vulnerability is present when the TinaCMS development server is running, typically on localhost port 4001, and can be exploited through endpoints such as /media/list/*, /media/upload/*, and /media/*. The vulnerability exists because the server processes path segments using decodeURI() and path.join() without validating that the final path remains within the allowed media directory.

Impact

Exploitation of this vulnerability allows for arbitrary file read, write, and delete operations. An attacker could read sensitive files such as the environment file or SSH keys, write files to any location writable by the server process, and delete or overwrite files, potentially leading to code execution by overwriting executable scripts or configuration files.

Reproduction

To reproduce this vulnerability, start the TinaCMS development server. Once the server is running, use the media endpoints to exploit the path traversal issue. For example, send a request to the /media/list/ endpoint with a path traversal payload to read arbitrary files. Similarly, use the /media/upload/ endpoint to write files outside the intended directory by including a path traversal sequence in the request. The /media/ endpoint can also be used to delete files by sending a DELETE request with a traversal payload.

Remediation

Users are advised to update to TinaCMS version 2.1.8 or later, where this vulnerability has been fixed.