7.0.1
7.0.0
CVE-2019-5415 describes a Path Traversal vulnerability affecting the serve package. This flaw allows attackers to bypass folder exclusion rules by manipulating file paths with sequences like /./, potentially exposing sensitive files and directories. The vulnerability impacts versions of serve prior to 7.0.1, and a fix is available in version 7.0.1.
The primary impact of CVE-2019-5415 is unauthorized access to files and directories that should be protected. An attacker can craft a malicious URL containing the sequence /./ to bypass the serve package's intended folder exclusion mechanism. This could lead to the disclosure of configuration files, source code, or other sensitive data. The blast radius is limited to the files accessible through the serve server; however, the potential for data exposure is significant, particularly in development or staging environments where sensitive information might be present.
CVE-2019-5415 was publicly disclosed on March 25, 2019. While no active exploitation campaigns have been definitively linked to this vulnerability, the ease of exploitation and the potential for data exposure make it a worthwhile target for opportunistic attackers. There are publicly available proof-of-concept exploits demonstrating the path traversal bypass. It is not listed on CISA KEV.
Development teams using serve to serve static files during development are particularly at risk. Shared hosting environments where users have limited control over their server configuration are also vulnerable if the serve package is installed and not properly updated. Projects relying on older versions of serve in automated build pipelines are also exposed.
• nodejs / server:
npm list serveCheck the version of serve installed in your project. If it's less than 7.0.1, you are vulnerable.
• generic web:
curl -I <yourserveurl>/../../../../etc/passwd
Attempt to access sensitive files using path traversal. A successful response indicates a vulnerability.
disclosure
Exploit-Status
EPSS
0.32% (55% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2019-5415 is to immediately upgrade the serve package to version 7.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing the /./ sequence. Additionally, carefully review and restrict the files and directories served by serve to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to access a previously excluded directory using a URL containing /./ – access should be denied.
Aktualisieren Sie die Version von `serve` auf Version 7.0.1 oder höher. Dies behebt die Schwachstelle in der Handhabung ignorierter Dateien und Verzeichnisse und verhindert, dass ein Angreifer auf nicht autorisierte Ressourcen zugreift.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-5415 is a vulnerability in the serve package that allows attackers to bypass folder exclusion rules by using /./ in the path, potentially accessing sensitive files.
You are affected if you are using a version of serve prior to 7.0.1. Check your installed version with npm list serve.
Upgrade to version 7.0.1 or later of the serve package using npm install serve@latest.
There is no public evidence of active exploitation, but the vulnerability's simplicity makes it a potential target.
Refer to the npm advisory for CVE-2019-5415: https://www.npmjs.com/advisories/1123
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.