GMS-2019-130: Directory Traversal in lactate

June 14, 2019 (updated August 16, 2021)

A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root.

References

github.com/RetireJS/retire.js/commit/800c8140884eaa5753a49308f560c925fe97b9a5
github.com/advisories/GHSA-68gr-cmcp-g3mj
hackerone.com/reports/296645
snyk.io/vuln/npm:lactate:20180123
www.npmjs.com/advisories/560

Detect and mitigate GMS-2019-130 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →