> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

I would like to report Path Traversal vulnerability in http-live-simulator
It allows to read arbitrary files from any location on disk

Module

module name: http-live-simulatorversion:1.0.5npm page: https://www.npmjs.com/package/http-live-simulator

Module Description

> Copy description from npm page

Module Stats

> Replace stats below with numbers from npm’s module page:

[9] weekly downloads

Vulnerability

Vulnerability Description

> Description about how the vulnerability was found and how it can be exploited, how it harms package users (data modification/lost, system access, other.

The http-live-simulator module doesn’t set a root directory and allows any arbitrary paths to be accessed on the file system and returned to requesting clients

Steps To Reproduce:

> Detailed steps to reproduce with all required references/steps/commands. If there is any exploit code or reference to the package source code this is the place where it should be put.

1. Install the module locally in an npm project: npm install http-live-simulator
2. Run the live server on a specified port: node_modules/.bin/http-live --port 8181
3. Attempt to access a file from outside that project’s directory, such as curl --path-as-is http://localhost:8181/../../file.txt
4. Files output should be returned

Supporting Material/References:

> State all technical information about the stack where the vulnerability was found

• MacOS
• Node.js 8.11.3
• npm 5.6.0

Wrap up

> Select Y or N for the following statements:

• I contacted the maintainer to let them know: [N]
• I opened an issue in the related repository: [N]

Impact

path traversal vulnerability leading to read access in arbitrary files on disk