Homepage

hostr@2.2.6 vulnerabilities

A simple web server for the current working directory. Used for hello world style web sites hosting only files in current directory structure. Watches files and integrates with LiveReload.

  • latest version

    3.0.4444

  • latest non vulnerable version

    3.0.4444

  • first published

    10 years ago

  • latest version published

    3 years ago

  • licenses detected

  • View hostr package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the hostr package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Directory Traversal

    hostr is a simple web server for the current working directory. Used for hello world style web sites hosting only files in current directory structure. Watches files and integrates with LiveReload. Affected versions of the package do not filter http GET requests in javascript code, allowing an attacker to retrieve confidential files over the network by requesting urls like: http://localhost:3000/../../../etc/passwd. CURLing the same request will not succeed.

    Many thanks to Liang Gong for disclosing this vulnerability.

    How to fix Directory Traversal?

    Upgrade hostr to version 2.3.6 or higher.

    <2.3.6
    Go back to all versions of this package