Advisories for Npm/Serve package

Relative Path Traversal in serve.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in serve.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in serve.

Versions of serve before 6.5.2 are vulnerable to the bypass of the ignore functionality. The bypass is possible because validation happens before canonicalization of paths and filenames. Example: Here we have a server that ignores the file test.txt. const serve = require('serve') const server = serve(__dirname, { port: 1337, ignore: ['test.txt'] }) Using the URL encoded form of a letter (%65 instead of e) attacker can bypass the ignore control …

A path traversal vulnerability in serve allows attackers to read content of arbitrary files on the remote server.

A bug in handling the ignore files and directories feature in serve allows an attacker to read a file or list the directory that the victim has not allowed access to.

serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded.

serve does not properly handle %2e (.) and %2f (/) and allows these characters to be used in paths, which can be used to traverse the directory tree up and lists content of any directory the user running the process has access to. Mitigating factors: This vulnerability only allows listing of directory contents and does not allow reading of arbitrary files.

Information exposure through directory listings in serve allows directory listing and file access even when they have been set to be ignored.