MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJtcDUtbTk2OC1nd3Iy

Moderate EPSS: 0.00274% (0.50817 Percentile) EPSS:

Permalink JSON

Path Traversal in http-file-server

Affected Packages	Affected Versions	Fixed Versions
npm:http-file-server PURL: `pkg:npm/http-file-server`	< 0.2.6	No known fixed version
1 Dependent packages 2 Dependent repositories 19 Downloads last month Affected Version Ranges All affected versions 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5

All versions of http-file-server are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-5447
https://hackerone.com/reports/570133
https://www.npmjs.com/advisories/1077
https://github.com/advisories/GHSA-2mp5-m968-gwr2

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJtcDUtbTk2OC1nd3Iy

Path Traversal in http-file-server

Affected Version Ranges

All affected versions

Recommendation

Identifiers

Risk

Severity

EPSS

Classification

Source

Origin

Date and time

Published

Updated

API