Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID npm:serve-static:20150113
- published 13 Jan 2015
- disclosed 13 Jan 2015
- credit Pierre-Élie Fauché
How to fix?
- Update to version 1.7.2 or greater (or 1.6.5 if sticking to the 1.6.x line).
- Disable redirects if not using the feature with 'redirect: false' option and cannot upgrade.
When using serve-static middleware version < 1.7.2 and it's configured to mount at the root, it creates an open redirect on the site.
Source: Node Security Project
If a user visits
http://example.com//www.google.com/%2e%2e they will be redirected to
//www.google.com/%2e%2e, which some browsers interpret as