Name of the Vulnerable Software and Affected Versions @vivaxy/here (affected versions not specified)

Description The issue allows for a directory traversal attack, potentially disclosing files on the local file system that exist outside of the web root, including confidential files. If the node process is run with limited filesystem permissions, the risk of exposing confidential information is significantly reduced. An example of exploitation can be seen in a proof of concept using a curl command to access sensitive files like /etc/passwd.

Recommendations Run npm i @vivaxy/here to install the latest version that addresses this vulnerability.