Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdtNzctcTc0cC01NzYz
Path Traversal in superstatic
Affected of superstatic are vulnerable to path traversal when used on Windows.
Additionally, it is vulnerable to path traversal on other platforms combined with certain Node.js versions which erroneously normalize \\ to / in paths on all platforms (a known example being Node.js v9.9.0).
Recommendation
Update to version 5.0.2 or later.
Permalink: https://github.com/advisories/GHSA-wm77-q74p-5763JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdtNzctcTc0cC01NzYz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: over 1 year ago
Identifiers: GHSA-wm77-q74p-5763
References:
- https://github.com/firebase/superstatic/pull/255
- https://github.com/firebase/superstatic/commit/e396ff62f588732989137d6c40d46b310e51ef2b
- https://github.com/firebase/superstatic/blob/v5.0.1/lib/providers/fs.js#L71
- https://www.npmjs.com/advisories/652
- https://github.com/advisories/GHSA-wm77-q74p-5763
Blast Radius: 0.0
Affected Packages
npm:superstatic
Dependent packages: 126Dependent repositories: 22,257
Downloads: 1,745,003 last month
Affected Version Ranges: < 5.0.2
Fixed in: 5.0.2
All affected versions: 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.12.14, 0.12.15, 0.12.16, 0.12.17, 0.12.18, 0.12.19, 0.12.20, 0.12.21, 0.12.22, 0.12.23, 0.12.24, 0.12.25, 0.12.26, 0.12.27, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 3.0.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.3.0, 5.0.0, 5.0.1
All unaffected versions: 5.0.2, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 7.0.0, 7.0.1, 7.1.0, 8.0.0, 9.0.0, 9.0.1, 9.0.2, 9.0.3