Uncontrolled external site redirect In serve-static
Description
Open Redirect in serve-static
Versions of serve-static prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.
Proof of Concept
A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e
Some browsers will interpret this as http://www.google.com/%2e%2e, resulting in an external redirect.
Recommendation
Version 1.7.x: Update to version 1.7.2 or later. Version 1.6.x: Update to version 1.6.5 or later.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 1.7.2, 1.7.2 | ||
 debian 13 | 1.6.4-2 | ||
debian 14 | 1.6.4-2 | ||
debian 11 | 1.6.4-2 | ||
debian 12 | 1.6.4-2 |
Aliases
1. 2. 3. 4. 5. 6.
References
1. 2. 3. 4. 5.