PT-2023-20498 · Unknown · Node-Static
Liran Tal
·
Published
2023-03-06
·
Updated
2023-03-10
·
CVE-2023-26111
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
@node-static versions all
node-static versions all
Description
The issue arises from improper file path sanitization in the
startsWith() method within the servePath function, leading to Directory Traversal. This allows attackers to access files outside the intended directory.Recommendations
For @nubosoftware/node-static, consider disabling the
servePath function until a patch is available.
For node-static, restrict access to the servePath function to minimize the risk of exploitation.
As a temporary workaround, avoid using the startsWith() method in the servePath function until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Node-Static