Open Redirect Affecting serve-static package, versions <1.6.5 >=1.7.0 <1.7.2


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.35% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:serve-static:20150113
  • published 13 Jan 2015
  • disclosed 13 Jan 2015
  • credit Pierre-Élie Fauché

How to fix?

  • Update to version 1.7.2 or greater (or 1.6.5 if sticking to the 1.6.x line).
    • Disable redirects if not using the feature with 'redirect: false' option and cannot upgrade.

Overview

When using serve-static middleware version < 1.7.2 and it's configured to mount at the root, it creates an open redirect on the site.

Source: Node Security Project

Details

For example:

If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to //www.google.com/%2e%2e, which some browsers interpret as http://www.google.com/%2e%2e.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
3.1 low
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

4.3 medium