Path Traversal in serve-here.js
Moderate severity
GitHub Reviewed
Published
Sep 22, 2021
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Description
Published by the National Vulnerability Database
Jul 10, 2019
Reviewed
Sep 22, 2021
Published to the GitHub Advisory Database
Sep 22, 2021
Last updated
Jan 27, 2023
Versions of serve-here.js prior to 1.2.0 are vulnerable to path traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.
References