CVE-2014-6394: Directory Traversal in Send Node.js Module

Successful exploitation of CVE-2014-6394 allows an attacker to read arbitrary files on the server, provided they can influence the application's request. This could include configuration files, source code, or other sensitive data. The impact is amplified if the application is running with elevated privileges, as the attacker could potentially gain access to system resources. While the CVSS score is LOW, the potential for data exposure and the ease of exploitation make this a significant concern, particularly in applications that rely heavily on the send module for serving static assets. The ability to bypass the intended root directory restriction is a critical security failure.

1. Publicada2017-10-24
2. Modificada2023-11-08
3. EPSS atualizado2026-04-02

The primary mitigation for CVE-2014-6394 is to upgrade the send module to version 0.8.4 or later. This version includes a fix that properly restricts file access based on the root option. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests that attempt to traverse directories. Specifically, look for patterns in the request path that attempt to escape the intended root directory. Thoroughly test any configuration changes or WAF rules to ensure they do not disrupt legitimate application functionality. After upgrading, confirm the fix by attempting a directory traversal request and verifying that access is denied.