Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg4NnYtbW02cC00bTY2

High severity vulnerability that affects gun

Urgent Upgrade

The static file server module included with GUN had a serious vulnerability:

Using curl --path-as-is allowed reads on any parent directory or files.

This did not work via the browser or via curl without as-is option.

Fixed

This has been fixed since version 0.2019.416 and higher.

Who Was Effected?

Most NodeJS users who use the default setup, such as:

npm start
node examples/http.js
Heroku 1-click-deploy
Docker
Now

If you have a custom NodeJS code then you are probably safe unless you have something like require('http').createServer(Gun.serve(__dirname)) in it.

If you have not upgraded, it is mandatory or else it is highly likely your environment variables and AWS (or other) keys could be leaked.

Credit

It was reported and fixed by JK0N, but I did not understand the --path-as-is condition.

Joonas Loppi from function61 rediscovered it and explained the urgency to me to fix it.

Permalink: https://github.com/advisories/GHSA-886v-mm6p-4m66
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg4NnYtbW02cC00bTY2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago

Identifiers: GHSA-886v-mm6p-4m66
References:

Repository: https://github.com/amark/gun
Blast Radius: 0.0

Affected Packages

npm:gun

Dependent packages: 175
Dependent repositories: 625
Downloads: 16,710 last month
Affected Version Ranges: < 0.2019.416
Fixed in: 0.2019.416
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.1.4, 0.1.5, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.9, 0.3.91, 0.3.92, 0.3.93, 0.3.94, 0.3.95, 0.3.96, 0.3.97, 0.3.98, 0.3.99, 0.3.991, 0.3.992, 0.3.993, 0.3.994, 0.3.995, 0.3.996, 0.3.997, 0.3.998, 0.3.999, 0.3.9991, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.91, 0.9.92, 0.9.93, 0.9.94, 0.9.95, 0.9.96, 0.9.97, 0.9.98, 0.9.99, 0.9.991, 0.9.992, 0.9.993, 0.9.994, 0.9.995, 0.9.996, 0.9.997, 0.9.998, 0.9.999, 0.9.9991, 0.9.9992, 0.9.9993, 0.9.9994, 0.9.9995, 0.9.9996, 0.9.9997, 0.9.9998, 0.9.9999, 0.9.99991, 0.9.99992, 0.9.99993, 0.9.99994, 0.9.99995, 0.9.99996, 0.9.99997, 0.9.99998, 0.9.99999, 0.9.999991, 0.9.999992, 0.9.999993, 0.9.999994, 0.9.999995, 0.9.999996, 0.9.999997, 0.9.999998, 0.9.999999, 0.9.9999991, 0.2019.323, 0.2019.331, 0.2019.413
All unaffected versions: 0.2019.416, 0.2019.420, 0.2019.422, 0.2019.425, 0.2019.426, 0.2019.427, 0.2019.428, 0.2019.514, 0.2019.515, 0.2019.612, 0.2019.627, 0.2019.711, 0.2019.712, 0.2019.726, 0.2019.910, 0.2019.915, 0.2019.929, 0.2019.930, 0.2019.1120, 0.2019.1211, 0.2019.1228, 0.2020.115, 0.2020.116, 0.2020.301, 0.2020.401, 0.2020.421, 0.2020.430, 0.2020.514, 0.2020.520, 0.2020.1232, 0.2020.1233, 0.2020.1234, 0.2020.1235, 0.2020.1236, 0.2020.1237, 0.2020.1238, 0.2020.1239, 0.2020.1240