MEDIUMCVE-2018-3712CVSS 6.5

CVE-2018-3712: Serve Directory Traversal Vulnerability

Q: Is CVE-2018-3712 being actively exploited?

Limit the `serve` process's access to necessary directories and avoid running it with elevated privileges.

Platform

nodejs

Component

serve

Fixed in

6.4.9

AI Confidence: highNVDEPSS 0.7%Reviewed: Mar 2026

View on NVD

Save

CVE-2018-3712 is a directory traversal vulnerability affecting the serve npm package. This vulnerability allows attackers to list the contents of directories accessible to the user running the serve process. This impacts confidentiality, as sensitive directory structures can be exposed. This affects serve versions prior to 6.4.9. The vulnerability is fixed in version 6.4.9.

Impact and Attack Scenarios

CVE-2018-3712 in serve allows an attacker, through manipulation of URL-encoded characters %2e (dot) and %2f (forward slash), to bypass path restrictions and access the contents of directories accessible by the serve process. This is due to insufficient input validation. While the vulnerability doesn't allow direct reading of individual files, it does permit directory content enumeration, potentially revealing sensitive information about the filesystem structure and filenames. The CVSS score is 6.5, indicating a moderate risk. This vulnerability affects versions prior to 6.4.9.

Exploitation Context

An attacker could exploit this vulnerability by sending specially crafted HTTP requests to a server running a vulnerable version of serve. These requests would include URL-encoded sequences that allow navigation through the filesystem. For example, repeated use of %2e (dot) could allow navigation to parent directories, while %2f (forward slash) could allow navigation to subdirectories. The attacker could then list the contents of any directory accessible by the serve process, revealing information about the filesystem structure.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard10–15% still vulnerable

EPSS

0.68% (71% percentile)

CVSS Vector

Affected Software

Componentserve

Vendorosv

Affected rangeFixed in

—6.4.9

Timeline

Published2018-07-27
Modified2023-11-08
EPSS updated2026-04-02

Mitigation and Workarounds

The recommended solution is to update to version 6.4.9 or later of serve. This version corrects the vulnerability by implementing more robust path validation. In the meantime, as a temporary measure, it is recommended to limit the serve process's access to necessary directories and avoid running it with elevated privileges. Applying this update promptly is crucial to mitigate the risk of sensitive information exposure. The update is a fundamental preventative measure to ensure system integrity.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2018-3712 — Directory Traversal in serve?

It's a unique identifier for this security vulnerability in the serve software.

Am I affected by CVE-2018-3712 in serve?

Primarily, the directory structure and filenames accessible to the serve process.

How do I fix CVE-2018-3712 in serve?

No, the vulnerability only allows listing directory contents, not reading individual files.

Is CVE-2018-3712 being actively exploited?

Limit the serve process's access to necessary directories and avoid running it with elevated privileges.

Where can I find the official serve advisory for CVE-2018-3712?

You can download version 6.4.9 or later from the official website or your operating system's package repository.