HIGHCVE-2019-5415CVSS 7.5

CVE-2019-5415: Path Traversal in serve

Q: What is CVE-2019-5415 — Path Traversal in serve?

CVE-2019-5415 is a vulnerability in the `serve` package that allows attackers to bypass folder exclusion rules by using `/./` in the path, potentially accessing sensitive files.

Q: Am I affected by CVE-2019-5415 in serve?

You are affected if you are using a version of `serve` prior to 7.0.1. Check your installed version with `npm list serve`.

Q: How do I fix CVE-2019-5415 in serve?

Upgrade to version 7.0.1 or later of the `serve` package using `npm install serve@latest`.

Q: Where can I find the official serve advisory for CVE-2019-5415?

Refer to the npm advisory for CVE-2019-5415: https://www.npmjs.com/advisories/1123

Platform

nodejs

Component

serve

Fixed in

7.0.1

7.0.0

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2019-5415 describes a Path Traversal vulnerability affecting the serve package. This flaw allows attackers to bypass folder exclusion rules by manipulating file paths with sequences like /./, potentially exposing sensitive files and directories. The vulnerability impacts versions of serve prior to 7.0.1, and a fix is available in version 7.0.1.

Impact and Attack Scenarios

The primary impact of CVE-2019-5415 is unauthorized access to files and directories that should be protected. An attacker could exploit this vulnerability to retrieve configuration files, source code, or other sensitive data from the server hosting the serve application. This could lead to information disclosure, and in some cases, could be a stepping stone for further attacks, such as code execution if the retrieved files contain exploitable code. The blast radius depends on the sensitivity of the files accessible through the server; a development server with source code would have a higher impact than a static website serving only public content.

Exploitation Context

CVE-2019-5415 was publicly disclosed on March 25, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept exploits are widely known, but the simplicity of the path traversal technique makes it likely that such exploits could be developed. It is not listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard10–15% still vulnerable

EPSS

0.32% (55% percentile)

CVSS Vector

Affected Software

Componentserve

Vendorosv

Affected rangeFixed in

7.0.0 – 7.0.07.0.1

—7.0.0

Weakness Classification (CWE)

CWE-548

Timeline

Reserved2019-01-04
Published2019-03-25
Modified2025-07-15
EPSS updated2026-04-02

Mitigation and Workarounds

The recommended mitigation for CVE-2019-5415 is to upgrade to version 7.0.1 or later of the serve package. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing the /./ sequence in the path. Additionally, review and restrict file permissions on the server to minimize the potential damage from unauthorized access. After upgrading, confirm the fix by attempting to access a previously protected directory using a path containing /./ – access should be denied.

How to fix

Upgrade the version of `serve` to 7.0.1 or later. This will correct the vulnerability in the handling of ignored files and directories, preventing an attacker from accessing unauthorized resources.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2019-5415 — Path Traversal in serve?

CVE-2019-5415 is a vulnerability in the serve package that allows attackers to bypass folder exclusion rules by using /./ in the path, potentially accessing sensitive files.

Am I affected by CVE-2019-5415 in serve?

You are affected if you are using a version of serve prior to 7.0.1. Check your installed version with npm list serve.

How do I fix CVE-2019-5415 in serve?

Upgrade to version 7.0.1 or later of the serve package using npm install serve@latest.

Is CVE-2019-5415 being actively exploited?

There is no public evidence of active exploitation, but the vulnerability's simplicity makes it a potential target.