AIKIDO-2025-10676
Smidge.Core is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
75
High Risk
This Affects:
Smidge.CoreTL;DR
Affected versions of this package are vulnerable to arbitrary file creation due to improper handling of the version parameter in HTTP requests for CSS/JS bundles. By manipulating this parameter, an attacker can control the server-side cache directory, enabling username enumeration by testing for folder existence in paths like C:Users and depleting disk space by forcing the server to create a unique cache file for each request. These attacks can be performed by unauthenticated users, potentially leading to information disclosure or denial of service by filling the server's storage.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
Smidge.Core is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in versions 4.0.0 - 4.5.1.
How to fix this
Upgrade the Smidge.Core library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant