Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhnNzUtMzI3Ny1ndnZq
Directory Traversal in serve
Versions of serve
before 7.1.3 are vulnerable to Directory Traversal. File paths are not sanitized leading to unauthorized access of system files.
Recommendation
Upgrade to version 7.1.3 or later
Permalink: https://github.com/advisories/GHSA-xg75-3277-gvvjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhnNzUtMzI3Ny1ndnZq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 5 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-xg75-3277-gvvj, CVE-2019-5417
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5417
- https://hackerone.com/reports/358645
- https://github.com/advisories/GHSA-xg75-3277-gvvj
- https://www.npmjs.com/advisories/795
Affected Packages
npm:serve
Dependent packages: 5,061Dependent repositories: 103,043
Downloads: 6,178,260 last month
Affected Version Ranges: < 7.1.3
Fixed in: 7.1.3
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 4.0.0, 4.0.1, 4.0.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2
All unaffected versions: 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 8.0.0, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.6.0, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.1.1, 10.1.2, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 12.0.0, 12.0.1, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.1.1, 14.1.2, 14.2.0, 14.2.1