DV0x Creative Ad Agent Path Traversal Vulnerability in Creative Ad Agent Server

A path traversal vulnerability has been identified in DV0x Creative Ad Agent versions prior to commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3. The issue resides in the Creative Ad Agent Server component, specifically within the file server/sdk-server.ts. The vulnerability arises because the endpoint /images/:sessionId?/:filename accepts user-controlled parameters and constructs a filesystem path without proper validation. This lack of validation allows an attacker to manipulate the path and access arbitrary files on the server, including sensitive host files like /etc/hosts. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability leads to arbitrary file disclosure, allowing attackers to read files outside the intended directory, including sensitive system files.

Reproduction

To reproduce this vulnerability, start the affected server and send a request to the /images/:sessionId?/:filename endpoint with a crafted filename parameter that includes encoded traversal sequences, such as %2e%2e/, to escape the intended directory and access unauthorized files.

Remediation

Users are advised to update to the patched version, which is available in the same repository.