Path Traversal

@hono/node-server is vulnerable to Path Traversal. The vulnerability is due to improper url string validation in src/request.ts, allowing an attacker to use .. in the request URL to access arbitrary files on the static server...

@zemble/node (>=0.0.11 <=0.0.14), waku (>=0.19.0 <=0.19.1) potentially affected by CVE-2024-23340 via @hono/node-server (>=1.3.3 <=1.4.0)

@hono/node-server NPM version =1.3.3, =0.0.11, =0.19.0, =0.19.1 Source cves: CVE-2024-23340 Source advisory: OSV:GHSA-RJQ5-W47X-X359...

CVE-2024-23340

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...

Design/Logic Flaw

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...

CVE-2024-23340 @hono/node-server can't handle "double dots" in URL

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...

CVE-2024-23340

The CVE concerns @hono/node-server (Node.js adapter) where its custom Request.url does not resolve ". ." (double dots), causing un-resolved paths like http://localhost/static/.. /foo.txt to be passed to serveStatic. This path-traversal can enable access to unintended files on the static server, u...

CVE-2024-23340 @hono/node-server can't handle "double dots" in URL

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...

node-server path traversal vulnerability

node-server is an adapter that allows users to run Hono applications on Node.js. A path traversal vulnerability exists in node-server version 1.3.0 through versions prior to 1.4.1, which stems from an inability to resolve double dots in a URL...

Path Traversal

web-node-server is vulnerable to Path Traversal. The vulnerability is due to to a lack of sanitization of relative file paths in the start function of nodeserver.js which allows an attacker to write arbitrary files outside the expected directory...

Malicious code in seal_online_node_server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7bf0243aa25b356dbd5d2f2018019d81b39aa0ce936772bd7aa1761a1c306b85 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-5987 Malicious code in seal_online_node_server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7bf0243aa25b356dbd5d2f2018019d81b39aa0ce936772bd7aa1761a1c306b85 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-WM7H-9275-46V2 Crash in HeaderParser in dicer

This affects all versions of the package dicer. A malicious attacker can send a modified form to the server and crash the Node.js service. A complete denial of service can be achieved by sending the malicious form in a loop...

Node.js: HTTP Request Smuggling Due To Improper Delimiting of Header Fields

Summary: The llhttp parser in the http module in Node v17.8.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. Description: The LF character without CR is sufficient to delimit HTTP header fields in the lihttp parser. According to...

GHSA-273R-MGR4-V34F Uncaught Exception in engine.io

Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear at Receiver.getInfo /.../nodemodules/ws/lib/receiver.js:176:14 at Receiver.startLoop...

4m-node-server (>=0.0.1 <=0.0.8), @2109-t5/server (>=1.0.0 <=1.0.9) +434 more potentially affected by unknown CVE via apollo-server (>=3.10.0 <=3.3.0)

apollo-server NPM version =3.10.0, =0.0.1, =1.0.0, =0.1.0, =0.4.52, =0.0.1, =1.0.7, =10.4.0, =9.0.0, =10.0.0, =10.0.0, =10.5.0, =10.4.0, =0.9.1, =0.9.6 and more Source cves: unknown CVE Source advisory: OSV:GHSA-QM7X-RC44-RRQW...

CVE-2021-29486

cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. In versions prior to 2.0.0 apps using this library on improper data may crash or go into an infinite-loop. In the case of a nodejs...

ts-node-server (>=1.1.0 <=2.0.0) potentially affected by CVE-2019-10746 via mixin-deep (=2.0.0)

mixin-deep NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on mixin-deep and may be impacted: - ts-node-server =1.1.0, =2.0.0 Source cves: CVE-2019-10746 Source advisory: OSV:GHSA-FHJF-83WG-R2J9...

ts-node-server (>=1.1.0 <=2.0.0) potentially affected by CVE-2019-10746 via mixin-deep (=2.0.0)

mixin-deep NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on mixin-deep and may be impacted: - ts-node-server =1.1.0, =2.0.0 Source cves: CVE-2019-10746 Source advisory: SNYK:JS-MIXINDEEP-450212...

Directory Traversal in node-server-forfront

Affected versions of node-server-forfront resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

GHSA-J38M-7Q52-FGFH Directory Traversal in node-server-forfront

Affected versions of node-server-forfront resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...