CVE-2023-34062: Directory Traversal Vulnerability in Reactor Netty HTTP Server

A vulnerability, identified as CVE-2023-34062, has been discovered in the Reactor Netty HTTP Server, a component of the Reactor Netty framework. This vulnerability, with a CVSS score of 7.5, poses a significant threat to applications that utilize Reactor Netty HTTP Server.

Reactor Netty, a component of the broader Reactor Netty framework, offers developers a reactive and non-blocking HTTP server built on the sturdy shoulders of Netty, a high-performance asynchronous I/O framework renowned for its efficiency in handling massive data streams. Reactor Netty distinguishes itself by leveraging the Reactive Streams API, enabling sophisticated management of asynchronous data flows and making it a popular choice for scalable web applications.

The vulnerability in question manifests in specific versions of the Reactor Netty HTTP Server – namely, versions 1.1.x before 1.1.13 and 1.0.x before 1.0.39. This flaw exposes applications to directory traversal attacks. Such attacks occur when a malicious user crafts a deceptively simple yet dangerous URL, directing the server to access unauthorized directories.

The risk is especially pronounced in applications where the Reactor Netty HTTP Server is configured to serve static resources, a common setup in many web applications. This vulnerability, if exploited, could allow attackers to access sensitive files and directories, potentially leading to data breaches or further exploitation.

Among the impacted products are:

  • Reactor Netty versions from 1.1.0 to 1.1.12
  • Versions from 1.0.0 to 1.0.38
  • Older, unsupported versions of the framework

The discovery of this vulnerability serves as a crucial reminder for developers and organizations to maintain updated versions of their software frameworks.

To mitigate the risks posed by CVE-2023-34062, users of the affected versions are advised to take immediate action. Those on the 1.1.x strand should update to version 1.1.13, while those using the 1.0.x series should upgrade to 1.0.39. Fortunately, no additional steps are necessary beyond this upgrade. The released versions that have rectified this issue include:

  • Reactor Netty 1.1.13
  • Reactor Netty 1.0.39