Directory Traversal

2023-02-0105:54:02

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

serve-lite

directory traversal

input sanitization

path.join()

remote attacker

system files

confidential information

0.002 Low

EPSS

Percentile

55.4%

JSON

serve-lite is vulnerable to Directory Traversal. The vulnerability is due to a a lack of input sanitization in the req.url parameter which is passed as-is to the path.join() function, allowing a remote attacker to access system files and retrieve confidential information via malicious input.

CPENameOperatorVersion
serve-litele1.1.0
serve-litele1.1.0

CPE	Name	Operator	Version
	serve-lite	le	1.1.0
	serve-lite	le	1.1.0

References

gist.github.com/lirantal/9ccdfda0edcb95e36d07a04b0b6c2db0

github.com/advisories/GHSA-5qq4-m6c3-xxmf

github.com/beenotung/serve-lite/blob/v1.1.0/server.js#L113

0.002 Low

EPSS

Percentile

55.4%

JSON

Related for VERACODE:39071