CVE-2022-25848 – static-dev-server

Package

Manager: npm
Name: static-dev-server
Vulnerable Version: =1.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00139 pctl0.34528

Details

static-dev-server vulnerable to path traversal A path traversal vulnerability affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. There is currently no known workaround or fix for this issue.

Metadata

Created: 2022-11-29T18:30:18Z
Modified: 2022-12-27T18:10:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-7fxm-c848-89q8/GHSA-7fxm-c848-89q8.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-7fxm-c848-89q8
Finding: F063
Auto approve: 1