CVE-2017-16224

Name of the Vulnerable Software and Affected Versions: st versions prior to 1.2.2

Description: The st module for serving static files is affected by an issue where an attacker can craft a request that results in an HTTP 301 (redirect) to an entirely different domain. For example, a request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e, which most browsers treat as a proper redirect. This issue can be exploited when st is serving from the root of a server (/) rather than a typical subdirectory (/static/), and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").

Recommendations: Update to version 1.2.2 or later. As a temporary workaround, consider configuring st to serve from a subdirectory rather than the root of the server to minimize the risk of exploitation.