TinaCMS Path Traversal Vulnerability in @tinacms/graphql Allowing Arbitrary File Overwrite

A path traversal vulnerability has been identified in TinaCMS versions prior to 2.2.2, specifically within the @tinacms/graphql package. This vulnerability allows unauthenticated users to write and overwrite arbitrary files in the project root by manipulating the relativePath parameter in GraphQL mutations. The issue arises from the path validation logic, which fails to properly recognize backslashes as directory separators on non-Windows platforms. Exploiting this vulnerability could lead to the replacement of critical server configuration files and potentially allow for the execution of arbitrary commands by disrupting build scripts.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting, with the potential to replace important server configuration files and execute arbitrary code by modifying build scripts or server-side logic files that are executed by the environment.

Reproduction

To reproduce this vulnerability, start the TinaCMS development server. Then, send a malicious GraphQL mutation that overwrites a project file, such as package.json, by including a traversal payload in the relativePath parameter. The root package.json will be replaced with the provided data.

Remediation

Users are advised to update TinaCMS to version 2.2.2 or later, where this vulnerability has been patched.