Fluid Attacks Database

Description

Root Path Disclosure in send Versions of send prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.

Recommendation

Update to version 0.11.1 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-send	>=0 <0.16.2-1	0.16.2-1
npm	send	>=0 <0.11.1	0.11.1
debian 13	node-send	>=0 <0.16.2-1	0.16.2-1
debian 12	node-send	>=0 <0.16.2-1	0.16.2-1
debian 11	node-send	>=0 <0.16.2-1	0.16.2-1

Aliases

1. CVE-2015-88592. NVD-2015-88593. OSV-DEBIAN-2015-88594. OSV-2015-88595. GCVE-2015-88596. SECURITY-TRACKER-CVE-2015-8859

References

1. https://github.com/pillarjs/send/pull/702. https://github.com/pillarjs/send/commit/98a5b89982b38e79db684177cf94730ce7fc7aed3. https://github.com/expressjs/serve-static/blob/master/HISTORY.md#181--2015-01-204. https://web.archive.org/web/20200227192016/https://www.securityfocus.com/bid/964355. http://www.openwall.com/lists/oss-security/2016/04/20/11