trailing-slash@2.0.0 vulnerabilities

Add or remove trailing slashes, and redirect.

Direct Vulnerabilities

Known vulnerabilities in the trailing-slash package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Open Redirect

trailing-slash is an Add or remove trailing slashes, and redirect.

Affected versions of this package are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::createTrailing(), as the web server uses relative URLs instead of absolute URLs.

PoC

1. Set up an server endpoint that uses trailing-slashes
2. Append "//example.com" to the endpoint - it should redirect to example.com

How to fix Open Redirect?

Upgrade trailing-slash to version 2.0.1 or higher.

<2.0.1