CVE CyberSecurity Database News

CVE-2023-34062 - Exploiting Directory Traversal in Reactor Netty HTTP Server — Complete Guide with PoC

Poster -

---

The world of Java and reactive servers took a big hit recently with the discovery of CVE-2023-34062. This security flaw lets attackers perform directory traversal attacks on applications built using Reactor Netty HTTP Server — a core piece for many Spring and reactive Java apps.

In this post, we'll break everything down in simple terms, look at the root cause, and walk step-by-step through how an attacker can exploit this flaw. We’ll even provide code snippets and links to help you dig deeper.

Reactor Netty HTTP Server 1..x before 1..39

If you use Reactor Netty HTTP Server to serve static resources (HTML, JS, CSS, images, etc.), you may be vulnerable. The root problem is that the server did not sanitize URL path input correctly, making directory traversal possible.

What Is a Directory Traversal Attack?

This attack abuses path manipulation (.. or ../) to break out of the intended folder and access sensitive files anywhere on the server. For example, an attacker tries to fetch /../../etc/passwd to steal password hashes on Linux.

How Does the Vulnerability Work?

A malicious user can craft a URL request that abuses path traversal sequences (like ../) to reach files outside of the intended static resource directory.

Consider an app serving static files from /static on the server

- http://yourapp.com/assets/logo.png → will serve /static/assets/logo.png

But with directory traversal

- http://yourapp.com/assets/../../../etc/passwd → may serve /etc/passwd if checks are weak!

In affected versions of Reactor Netty HTTP Server, the sanitizing and normalization logic for URLs was flawed, so the server could fall for this trick.

Reactor Netty HTTP Server version older than 1.1.13 or 1..39

2. Static resources are served (e.g., using Spring WebFlux with @EnableWebFlux and static folder mapping)

Suppose you have the following Spring Boot configuration

@Configuration
public class WebConfig implements WebFluxConfigurer {
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry
          .addResourceHandler("/files/**")
          .addResourceLocations("file:/var/www/static/");
    }
}

Normally, accessing http://yourapp.com/files/user.txt will fetch /var/www/static/user.txt.

But since the path is not normalized safely, an attacker can request

http://yourapp.com/files/../../../../etc/passwd

Example Attack Request

curl http://yourapp.com/files/../../../../etc/passwd

Example Vulnerable Handler (Pseudo-code)

// Weak path normalization (example! do not use)
String requested = "/files/../../../../etc/passwd";
String safeBase = "/var/www/static";
String fullPath = Paths.get(safeBase, requested).toString(); // Flawed!
return Files.readAllBytes(Paths.get(fullPath));

Unless the code uses normalize() or does extra checks, fullPath could resolve outside of /var/www/static.

You can do this in build.gradle

implementation 'io.projectreactor.netty:reactor-netty-http:1.1.13'

Or for Maven

<dependency>
  <groupId>io.projectreactor.netty</groupId>
  <artifactId>reactor-netty-http</artifactId>
  <version>1.1.13</version>
</dependency>

Additional Hardening

- Always validate and normalize paths using Path.normalize() and check startsWith your static folder.

References

- Official CVE page
- Reactor Netty Advisory
- Spring WebFlux Static Resources Docs
- How Directory Traversal Attacks Work (OWASP)

Conclusion

Directory traversal vulnerabilities are deadly because they let attackers steal any server file that your app can read. CVE-2023-34062 is a real threat for anyone running static resources on Reactor Netty HTTP Server's vulnerable versions.

If you handle any static files with Netty — upgrade instantly. Even if you aren't sure, patching is simple and closes the door on this critical hole.

Timeline

Published on: 11/15/2023 10:15:07 UTC
Last modified on: 11/21/2023 20:11:45 UTC