CVE-2024-38816 - Path Traversal in Spring WebMvc.fn and WebFlux.fn Static Resource Serving Explained

CVE-2024-38816 is a recent security vulnerability in applications that serve static files using Spring's functional web frameworks – WebMvc.fn and WebFlux.fn. If your app uses these frameworks to serve files from the file system, attackers could potentially read *any* file your app can access by crafting specially formatted HTTP requests, thanks to a path traversal bug. This post explains what’s at stake, how the vulnerability works, and what you need to do to stay safe.

Exclusive: We’ll break it down using clear examples, simple code, and links to official references.

You are NOT affected IF

- You use the Spring Security HTTP Firewall
- Your app is deployed on Tomcat or Jetty servlet containers (these block malicious requests automatically)

Path Traversal 101

A "path traversal" flaw lets attackers access files outside the intended directory by inserting special character sequences in request URLs—typically ../. For example, if your app is meant to serve only /static/file.txt, attackers might try /static/../../etc/passwd, and if not blocked, your server could return the actual /etc/passwd file (on Linux)!

Imagine a Spring application using WebMvc.fn with a file system resource

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.function.RouterFunction;
import org.springframework.web.servlet.function.RouterFunctions;
import org.springframework.web.servlet.function.ServerResponse;
import org.springframework.core.io.FileSystemResource;

@Configuration
public class StaticResourceRouter {

    @Bean
    public RouterFunction<ServerResponse> staticResourceRouter() {
        // BAD: Serving files from /var/www/static via FileSystemResource
        return RouterFunctions.resources("/files/**", new FileSystemResource("/var/www/static/"));
    }
}

With this setup, a request to

GET /files/../../../../etc/passwd

Might return the server's sensitive /etc/passwd file!

Find the endpoint

- Attacker discovers /files/ serves static content.

Craft a path traversal URL

- Example: GET /files/../../../../etc/shadow

Send request

- If not blocked, attacker sees file contents from somewhere outside /var/www/static.

With Spring WebFlux.fn (similar pattern)

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.reactive.function.server.RouterFunction;
import org.springframework.web.reactive.function.server.RouterFunctions;
import org.springframework.core.io.FileSystemResource;

@Configuration
public class StaticResourceRouter {

    @Bean
    public RouterFunction<?> staticResourceRouter() {
        // BAD: Exposing static files directly from filesystem
        return RouterFunctions.resources("/public/**", new FileSystemResource("/opt/app/assets/"));
    }
}

Request

GET /public/../../../application.yml

Potentially leaks sensitive config information!

Tomcat and Jetty: These servers block any URL with suspicious path patterns out-of-the-box.

- Spring Security HTTP Firewall: This firewall detects and blocks dangerous URL patterns, such as path traversal.

References

- Spring Security HTTP Firewall Documentation
- Spring Framework Advisory: CVE-2024-38816 *(official notice might be updated eventually)*
- CVSS Details for CVE-2024-38816 - NVD

1. Avoid Serving Files Directly

- Use ClasspathResource instead of FileSystemResource where possible, so only whitelisted files can be served.

- Add this to your app

import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    return http
      .authorizeHttpRequests(authz -> authz.anyRequest().permitAll())
      .build();
}

Conclusion

*CVE-2024-38816* highlights the risks of directly serving file system resources via Spring WebMvc.fn or WebFlux.fn. If your deployment or configuration matches the vulnerable pattern, apply the fixes above immediately. Path traversal flaws are easy to exploit and can expose critical data.

Stay vigilant! Regularly update dependencies, use proper firewalls, and avoid serving direct file system paths unless absolutely necessary.

Have you found CVE-2024-38816 in your environment? Let us know in the comments, and share your fix!

*Copyright © 2024 – This is an exclusive, plain-language breakdown for security practitioners and developers.*

Timeline

Published on: 09/13/2024 06:15:11 UTC
Last modified on: 09/13/2024 14:06:04 UTC