CVE-2017-16222

Name of the Vulnerable Software and Affected Versions: elding versions (affected versions not specified)

Description: The issue allows an attacker to access the filesystem by exploiting a directory traversal vulnerability. This is done by placing "../" in the URL, but the accessible files are limited to those with a file extension. For example, sending a GET request to /../../../etc/passwd will return a 404 because etc/passwd is treated as a directory and the request is made for etc/passwd/index.js. A malicious actor can use this vulnerability to access files outside of the intended directory root, potentially disclosing private files on the vulnerable system.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability. It is recommended that elding is only used for local development, and if the functionality is needed for production, a different package is used instead.