serve@3.0.2 vulnerabilities

Static file serving and directory listing

Direct Vulnerabilities

Known vulnerabilities in the serve package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Directory Traversal

serve is a static file serving and directory listing.

Affected versions of this package are vulnerable to Directory Traversal. It was possible to fetch files outside of the web root dir with a symlink file on the working dir.

How to fix Directory Traversal?

Upgrade serve to version 11.0.0 or higher.

<11.0.0
  • C
Directory Traversal

serve is a static file serving and directory listing.

Affected versions of this package are vulnerable to Directory Traversal attacks. An attacker could read local files on the target server.

How to fix Directory Traversal?

Upgrade serve to version 7.1.3 or higher.

<7.1.3
  • H
Information Exposure

serve is a static file serving and directory listing.

Affected versions of this package are vulnerable to Information Exposure. An attacker could bypasses the ignore files/directories feature and read a file or list the directory that the victim has not allowed access to.

NOTE: This vulnerability has also been identified as: CVE-2018-3809

How to fix Information Exposure?

Upgrade serve to version 7.0.0 or higher.

<7.0.0
  • H
Information Exposure

serve is a static file serving and directory listing.

Affected versions of this package are vulnerable to Information Exposure. An attacker could bypasses the ignore files/directories feature and read a file or list the directory that the victim has not allowed access to.

NOTE: This vulnerability has also been identified as: CVE-2019-5415

How to fix Information Exposure?

Upgrade serve to version 7.0.0 or higher.

<7.0.0
  • H
Information Exposure

serve is a module provides a neat interface for listing the directory's contents and switching into sub folders.

Affected versions of this package are vulnerable to Information Exposure through directory listing. It allows directory browsing and to serve static files through the browser.

How to fix Information Exposure?

Update serve to version 6.5.2 or higher.

<6.5.2
  • M
Directory Traversal

serve is a package that lists and allows browsing static file serving and directories in the browser.

It does not properly sanitze dots (%2e) and slashes (%2f), allowing an attacker to leverage these characters to traverse the directory tree and list the content of any directory the user running the process has access to.

Note: An attacker will not be able to use this vulnerability to read arbitrary files.

How to fix Directory Traversal?

Upgrade serve to version 6.4.9 or higher.

<6.4.9
  • H
Directory Traversal

serve is Static file serving and directory listing. Affected versions of the package are vulnerable to Directory Traversal related to SNYK-JS-NEXT-10641

How to fix Directory Traversal?

Upgrade serve to version 5.2.2 or higher.

<5.2.0 >=5.2.1 <5.2.2