CVE-2023-26126: m.static Directory Traversal vulnerability

May 10, 2023 (updated November 7, 2023)

All versions of the package m.static is vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the requestFile function.

References

gist.github.com/lirantal/dcb32c11ce87f5aafd2282b90b4dc998
github.com/advisories/GHSA-vcxh-qvgr-9fw9
github.com/ivoputzer/m.static/blob/master/index.js
nvd.nist.gov/vuln/detail/CVE-2023-26126
security.snyk.io/vuln/SNYK-JS-MSTATIC-3244915

Detect and mitigate CVE-2023-26126 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →