Platform
nodejs
Component
serve
Fixed in
7.1.4
7.1.3
CVE-2019-5417 is a Directory Traversal vulnerability affecting the serve npm package. This vulnerability allows attackers to access sensitive system files due to insufficient sanitization of file paths. This affects serve versions prior to 7.1.3. Upgrade to version 7.1.3 or later to remediate this vulnerability.
CVE-2019-5417 in serve allows attackers to perform Directory Traversal attacks. This is due to insufficient validation of file paths, allowing an attacker to access sensitive files and directories on the underlying operating system. An attacker could potentially read configuration files, source code, or other confidential data that should not be accessible from the outside. The severity of this vulnerability is rated as 7.5 on the CVSS scale, indicating a significant risk. The lack of sanitization of file paths exposes the system to considerable security risks, especially in environments where serve is used to serve web content from uncontrolled locations.
This vulnerability is exploited by manipulating the file paths provided to the serve tool. An attacker could use sequences like ../ to navigate outside the intended root directory and access files in unauthorized locations. Exploitation is relatively simple and does not require advanced technical skills. The risk is higher in environments where serve is used to serve content from a directory that the attacker can control, as this allows them to inject malicious paths. The vulnerability affects all versions of serve prior to 7.1.3.
Exploit Status
EPSS
0.61% (70% percentile)
CVSS Vector
The recommended solution to mitigate CVE-2019-5417 is to upgrade the version of serve to 7.1.3 or later. These versions include fixes that validate and sanitize file paths, preventing unauthorized access. If an immediate upgrade is not possible, it is recommended to implement strict access controls on the file system to limit access to sensitive directories. Additionally, the serve configuration should be reviewed and audited to ensure that only intended files and directories are served. The upgrade is the most effective measure and is strongly recommended to protect against this vulnerability.
Actualice el paquete 'serve' a la versión 7.1.3 o superior. Esto corregirá la vulnerabilidad de path traversal que permite la lectura de archivos arbitrarios en el servidor remoto. Ejecute 'npm install serve@latest' para obtener la versión más reciente.
Vulnerability analysis and critical alerts directly to your inbox.
It's a security attack that allows an attacker to access files and directories on a web server that they shouldn't be able to. It's achieved by manipulating file paths.
You can check the version of serve by running the command serve --version in your terminal.
Implement strict access controls on the file system and review the serve configuration.
Yes, all versions prior to 7.1.3 are vulnerable.
You can find more information on the CVE-2019-5417 entry in the Common Vulnerabilities and Exposures (CVE) vulnerability database.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.