Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW00dnYtcDZmcS1qaHFw
Directory Traversal in @vivaxy/here
The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root.
It is vulnerable to a directory traversal attack.
This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files.
Mitigating Factors:
If the node process is run as a user with very limited filesystem permissions, there is significantly less risk of exposing confidential/private information.
Proof of Concept:
curl "http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd"
Recommendation
Run npm i @vivaxy/here to install the latest version that addresses this vulnerability.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW00dnYtcDZmcS1qaHFw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-m4vv-p6fq-jhqp
References:
- https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2
- https://hackerone.com/reports/296254
- https://www.npmjs.com/advisories/557
- https://github.com/advisories/GHSA-m4vv-p6fq-jhqp
Blast Radius: 0.0
Affected Packages
npm:@vivaxy/here
Dependent packages: 15Dependent repositories: 9
Downloads: 22 last month
Affected Version Ranges: <= 3.2.1
Fixed in: 3.2.2
All affected versions: 3.1.0, 3.2.1
All unaffected versions: 3.2.2, 3.3.0, 3.4.0, 3.4.1