Access Restriction Bypass Affecting serverless-offline package, versions <8.6.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.58% (79th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Access Restriction Bypass vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-SERVERLESSOFFLINE-1540299
  • published11 Aug 2021
  • disclosed11 Aug 2021
  • creditUnknown

Introduced: 11 Aug 2021

CVE-2021-38384  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

Upgrade serverless-offline to version 8.6.0 or higher.

Overview

serverless-offline is an Emulate AWS λ and API Gateway locally when developing your Serverless project.

Affected versions of this package are vulnerable to Access Restriction Bypass. It returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions).

CVSS Scores

version 3.1