Homepage

st@0.0.5 vulnerabilities

A module for serving static files. Does etags, caching, etc.

  • latest version

    3.0.1

  • latest non vulnerable version

    3.0.1

  • first published

    12 years ago

  • latest version published

    6 months ago

  • licenses detected

  • View st package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the st package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Open Redirect

    st is a module for serving static files.

    Affected versions of this package are vulnerable to Open Redirect. A malicious user could send a specially crafted request, which would automatically redirect the request to another domain, controlled by the attacker.

    Note: st will only redirect if requests are served from the root(/) and not from a subdirectory

    <1.2.2
    • M
    Directory Traversal

    Versions prior to 0.2.5 did not properly prevent path traversal. Literal dots in a path were resolved out, but url encoded dots were not. Thus, a request like /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd would leak sensitive files and data from the server.

    As of version 0.2.5, any '/../' in the request path, urlencoded or not, will be replaced with '/'. If your application depends on url traversal, then you are encouraged to please refactor so that you do not depend on having .. in url paths, as this tends to expose data that you may be surprised to be exposing.

    How to fix Directory Traversal?

    Upgrade to version 0.2.5 or greater.

    <0.2.5
    Go back to all versions of this package