Name of the Vulnerable Software and Affected Versions GUN versions prior to 0.2019.416

Description A serious issue was found in the static file server module included with GUN, where using curl --path-as-is allowed reads on any parent directory or files. This issue did not affect requests made via a browser or curl without the --path-as-is option. Most NodeJS users who use the default setup are affected. The issue is serious and could lead to the leakage of environment variables and AWS keys if not addressed.

Recommendations For versions prior to 0.2019.416, upgrade to version 0.2019.416 or higher to fix the issue. As a temporary workaround, consider avoiding the use of curl --path-as-is until the upgrade is applied. If you have custom NodeJS code, review it to ensure you are not using a vulnerable setup, such as require('http').createServer(Gun.serve( dirname)), and adjust accordingly.