node-static@0.5.9 vulnerabilities

simple, compliant file streaming module for node

Direct Vulnerabilities

Known vulnerabilities in the node-static package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Directory Traversal

node-static is a rfc 2616 compliant HTTP static-file server module, with built-in caching.

Affected versions of this package are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.

How to fix Directory Traversal?

There is no fixed version for node-static.

*
  • H
Denial of Service (DoS)

node-static is a rfc 2616 compliant HTTP static-file server module, with built-in caching.

Affected versions of this package are vulnerable to Denial of Service (DoS). The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.

How to fix Denial of Service (DoS)?

A fix was pushed into the master branch but not yet published.

*
  • M
Open Redirect

node-static is a rfc 2616 compliant HTTP static-file server module, with built-in caching.

Affected versions of this package are vulnerable to Open Redirect. The package fails to sanitize URLs and may redirect users to domains passed through the URL. The possible redirect domains are restricted to hosts whose name matches a served folder from the application. For example if the application serves the folder ./public and has a folder ./public/example.com, accessing localhost:8080//example.com redirects to https://www.example.com/.

How to fix Open Redirect?

A fix was pushed into the master branch but not yet published.

*