Directory Traversal Affecting geddy Open this link in a new tab package, versions <13.0.8


0.0
medium
  • Attack Complexity

    Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    npm:geddy:20150727

  • published

    27 Jul 2015

  • disclosed

    27 Jul 2015

  • credit

    Vikram Chaitanya

How to fix?

Update to version >= 13.0.8

Overview

Geddy static file serving allows directory traversal with a URI encoded path.

Source: Node Security Project

Details

Example:

http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

geddy is serving the output as it doesn't match the routes and it's a static file