GHSA-m4vv-p6fq-jhqp – @vivaxy/here

Package

Manager: npm
Name: @vivaxy/here
Vulnerable Version: >=0 <3.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Directory Traversal in @vivaxy/here The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root. It is vulnerable to a directory traversal attack. This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files. Mitigating Factors: If the node process is run as a user with very limited filesystem permissions, there is significantly less risk of exposing confidential/private information. Proof of Concept: ``` curl "http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd" ``` ## Recommendation Run `npm i @vivaxy/here` to install the latest version that addresses this vulnerability.

Metadata

Created: 2020-09-01T19:04:07Z
Modified: 2021-09-23T21:48:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-m4vv-p6fq-jhqp/GHSA-m4vv-p6fq-jhqp.json
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: F063
Auto approve: 1