Node.js third-party modules: [serve] Path Traversal

ID H1:510043
Type hackerone
Reporter guardian_trooper
Modified 2019-05-03T16:55:25


I would like to report path traversal vulnerability in serve module It allows an attacker to read system files via path traversal vulnerability


module name: serve version: 10.1.2 npm page:

Module Description

Assuming you would like to serve a static site, single page application or just a static file (no matter if on your device or on the local network), this package is just the right choice for you.

It behaves exactly like static deployments on Now, so it's perfect for developing your static project. Then, when it's time to push it into production, you deploy it.

Furthermore, it provides a neat interface for listing the directory's contents:


Vulnerability Description

with a symlink file on the working dir ,it was possible to fetch files outside of the web root dir

Steps To Reproduce:

1.make a directory $mkdir test test dir $cd test

3.create a symlink file $ln -s ../../ symdir install serve module: $yarn global add serve serve module $serve


> If you're able to provide a patch with the fix please post it in this section

Supporting Material/References:

> State all technical information about the stack where the vulnerability was found

  • [NODEJS VERSION] 11.8.0
  • [NPM VERSION] 6.5.0

Wrap up

> Select Y or N for the following statements:

  • I contacted the maintainer to let them know: [N]
  • I opened an issue in the related repository: [N]

> Hunter's comments and funny memes goes here


This could have enabled an attacker to view system files and leverage attacks like remote code execution and so on