Pierre-Elie

**Name of the Vulnerable Software and Affected Versions** serve-static versions prior to 1.6.5 serve-static versions 1.7.x prior to 1.7.2 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH INFO to the default URI. This can be achieved by exploiting the open redirect vulnerability when the serve-static plugin is mounted at the root. Some browsers will interpret a link to `http://example.com//www.google.com/%2e%2e` as `http://www.google.com/%2e%2e`, resulting in an external redirect. **Recommendations** For versions prior to 1.6.5: Update to version 1.6.5 or later. For versions 1.7.x prior to 1.7.2: Update to version 1.7.2 or later.