CVE-2023-46497 in EverShop NPM
Summary
by MITRE • 12/08/2023
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the folderCreate/createFolder.js endpoint.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/18/2025
The CVE-2023-46497 vulnerability represents a critical directory traversal flaw within the EverShop open-source e-commerce platform that affects NPM versions prior to v.1.0.0-rc.8. This vulnerability specifically targets the mkdirSync function implementation within the folderCreate/createFolder.js endpoint, creating a significant security risk that enables remote attackers to access sensitive system information through carefully crafted HTTP requests. The flaw resides in how the application processes directory creation requests without proper input validation, allowing malicious actors to manipulate path traversal sequences that bypass intended security boundaries. This vulnerability falls under the CWE-22 category of Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal, which is a well-documented weakness in software systems that handle file operations. The attack vector is particularly concerning because it operates over network protocols, enabling remote exploitation without requiring local system access or authentication credentials.
The technical implementation of this vulnerability exploits the lack of proper sanitization in the mkdirSync function call within the createFolder.js file, where user-supplied input is directly processed without adequate validation or canonicalization. When an attacker sends a malicious request containing specially crafted path sequences such as ../ or ..\, the application fails to properly resolve these paths, allowing the traversal to occur beyond the intended directory boundaries. This flaw specifically impacts the folder creation functionality, where the system should only permit creation of directories within designated application folders but instead allows arbitrary path manipulation. The vulnerability's impact extends beyond simple directory traversal as it can potentially expose sensitive system files, configuration data, and other confidential information that may reside on the same system. The attack surface is further expanded because the vulnerability exists in a core file operation function that is likely invoked during normal application usage, making detection and exploitation relatively straightforward for attackers who understand the application's architecture.
From an operational standpoint, this vulnerability creates substantial risk for organizations using affected EverShop versions, as it can lead to data breaches, system compromise, and potential regulatory violations. The remote nature of the attack means that adversaries can exploit this flaw from anywhere on the internet, without requiring physical access to the system or knowledge of internal network structures. Security teams must consider the potential for cascading effects, as successful exploitation could provide attackers with access to system-level information that might reveal network topology, application configurations, or even credentials stored in accessible files. The vulnerability also creates opportunities for privilege escalation attacks, where attackers might leverage the directory traversal to gain access to restricted system areas or manipulate application data in ways that could compromise business operations. This flaw aligns with ATT&CK technique T1083 (File and Directory Discovery) and T1059 (Command and Scripting Interpreter) as it enables attackers to explore system directories and potentially execute malicious commands through manipulated file operations.
Organizations should immediately implement mitigations including updating to EverShop version 1.0.0-rc.8 or later, which contains the necessary patches to address this directory traversal vulnerability. Additionally, network-level controls such as web application firewalls should be configured to detect and block suspicious path traversal patterns in requests to folder creation endpoints. Input validation should be strengthened at multiple layers including application-level sanitization, API gateway filtering, and database query parameterization to prevent malicious path sequences from being processed. Security monitoring should include detection of unusual directory creation patterns and requests containing path traversal sequences. The vulnerability also highlights the importance of implementing proper access controls and least privilege principles, ensuring that application processes operate with minimal required permissions and that directory creation functions are properly restricted to prevent unauthorized system access. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other application components, particularly those handling file operations and user input processing. Organizations should also consider implementing automated vulnerability scanning tools that can detect path traversal patterns in their code repositories and application deployments to prevent similar issues from being introduced in future development cycles.