Описание
Directory Traversal in serve
Affected versions of serve do not properly handle %2e (.) and %2f (/) characters, and allow the, characters to be used in paths. This can be used to traverse the directory tree and list content of any directory the user running the process has access to.
Mitigating factors: This vulnerability only allows listing of directory contents and does not allow reading of arbitrary files.
Recommendation
Update to version 6.4.9 later.
Пакеты
Наименование
serve
npm
Затронутые версииВерсия исправления
<= 6.4.8
6.4.9
Связанные уязвимости
CVSS3: 6.5
nvd
больше 7 лет назад
serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path.