Versions of serve before 7.0.0 are vulnerable to information exposure, bypassing the ignore security control, but only on case insensitive file systems.
Recommendation
Update to version 7.0.0 or later.
References:MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY4NmctM3hyMy14NHg2
Information Exposure on Case Insensitive File Systems in serve
| Affected Packages | Affected Versions | Fixed Versions | |
|---|---|---|---|
| npm:serve | < 7.0.0 | 7.0.0 | |
Affected Version RangesAll affected versions0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 4.0.0, 4.0.1, 4.0.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8 All unaffected versions7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 8.0.0, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.6.0, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.1.1, 10.1.2, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 12.0.0, 12.0.1, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.1.1, 14.1.2, 14.2.0, 14.2.1, 14.2.2, 14.2.3, 14.2.4 |
|||