Path Traversal in serve-here.js

2021-09-2218:40:57

Google

osv.dev

serve-here.js

path traversal

vulnerability

sanitize urls

relative paths

security flaw

EPSS

0.001

Percentile

48.3%

JSON

Versions of serve-here.js prior to 1.2.0 are vulnerable to path traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.

References

github.com/ChristoPy/serve-here.js

hackerone.com/reports/569966

nvd.nist.gov/vuln/detail/CVE-2019-5444

www.npmjs.com/advisories/1019

EPSS

0.001

Percentile

48.3%

JSON

Related for OSV:GHSA-4448-RC82-FCR7