Unauthorized File Access

Overview All versions of node-static are vulnerable to Unauthorized File Access. The package fails to prevent access to files outside of the served folder if the filename begins with the name of the served folder. For example if an application is serving the folder ./public, a file such as...

Node.js third-party modules: `indexFile` option passed as an argument to node-server can lead to arbitrary file read

Hi Guys, I would like to report Path Traversal vulnerability in indexFile parameter passed as an option tonode-server. This vulnerability affects both CLI --indexFile and options.indexFile passed as an argument to Server.prototype.serveDir function in node-static.js Module module name: node-stati...

Denial Of Service (DoS)

node-static is vulnerable to denial of service DoS. The attack exists because it does not properly handle the argument 'path', allowing the attacker to input the path \u0000 NULL to crash fs.stat with the error message "TypeError ERRINVALIDARGVALUE: The argument 'path' must be a string or...