Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc4bTctcWh2Ny05aDV4
Path Traversal in serve-here.js
Versions of serve-here.js prior to 1.2.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.
Recommendation
Upgrade to version 1.2.0 or later.
Permalink: https://github.com/advisories/GHSA-g8m7-qhv7-9h5xJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc4bTctcWh2Ny05aDV4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
Identifiers: GHSA-g8m7-qhv7-9h5x
References:
- https://github.com/vivaxy/here/pull/17
- https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2
- https://www.npmjs.com/advisories/554
- https://hackerone.com/reports/296254
- https://hackerone.com/reports/569966
- https://github.com/advisories/GHSA-g8m7-qhv7-9h5x
Blast Radius: 0.0
Affected Packages
npm:serve-here
Dependent packages: 7Dependent repositories: 3
Downloads: 99 last month
Affected Version Ranges: <= 3.2.0
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.1.0, 2.1.2, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 3.0.0, 3.0.1, 3.1.0, 3.2.0