st@0.0.7 vulnerabilities

A module for serving static files. Does etags, caching, etc.

latest version

3.0.1
latest non vulnerable version

3.0.1
first published

12 years ago
latest version published

a month ago
licenses detected
- BSD-2-Clause
  >=0.0.1 <0.5.4
View st package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the st package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Open Redirect `st` is a module for serving static files. Affected versions of this package are vulnerable to Open Redirect. A malicious user could send a specially crafted request, which would automatically redirect the request to another domain, controlled by the attacker. Note: `st` will only redirect if requests are served from the root(`/`) and not from a subdirectory	<1.2.2
M Directory Traversal Versions prior to 0.2.5 did not properly prevent path traversal. Literal dots in a path were resolved out, but url encoded dots were not. Thus, a request like `/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd` would leak sensitive files and data from the server. As of version 0.2.5, any `'/../'` in the request path, urlencoded or not, will be replaced with `'/'`. If your application depends on url traversal, then you are encouraged to please refactor so that you do not depend on having `..` in url paths, as this tends to expose data that you may be surprised to be exposing. How to fix Directory Traversal? Upgrade to version 0.2.5 or greater.	<0.2.5

Open Redirect

st is a module for serving static files.

Affected versions of this package are vulnerable to Open Redirect. A malicious user could send a specially crafted request, which would automatically redirect the request to another domain, controlled by the attacker.

Note: st will only redirect if requests are served from the root(/) and not from a subdirectory

<1.2.2

Directory Traversal

Versions prior to 0.2.5 did not properly prevent path traversal. Literal dots in a path were resolved out, but url encoded dots were not. Thus, a request like /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd would leak sensitive files and data from the server.

As of version 0.2.5, any '/../' in the request path, urlencoded or not, will be replaced with '/'. If your application depends on url traversal, then you are encouraged to please refactor so that you do not depend on having .. in url paths, as this tends to expose data that you may be surprised to be exposing.

How to fix Directory Traversal?

Upgrade to version 0.2.5 or greater.

<0.2.5

Go back to all versions of this package

st@0.0.7 vulnerabilities

A module for serving static files. Does etags, caching, etc.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities