GHSA-5g97-whc9-8g7j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5g97-whc9-8g7j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-5g97-whc9-8g7j/GHSA-5g97-whc9-8g7j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5g97-whc9-8g7j
- Aliases
-
- CVE-2023-26111
- Published
- 2023-03-06T06:30:18Z
- Modified
- 2025-09-26T21:58:15Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- node-static and @nubosoftware/node-static vulnerable to Directory Traversal
- Details
-
node-static and its fork, @nubosoftware/node-static, are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.
- Database specific
{ "github_reviewed_at": "2023-03-07T20:28:43Z", "github_reviewed": true, "severity": "HIGH", "nvd_published_at": "2023-03-06T05:15:00Z", "cwe_ids": [ "CWE-22" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-26111
- https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc
- https://github.com/cloudhead/node-static
- https://github.com/cloudhead/node-static/blob/master/lib/node-static.js#23L160-L163
- https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
- https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927
Affected packages
npm / node-static
Package
- Name
- node-static
- View open source insights on deps.dev
- Purl
- pkg:npm/node-static
npm / @nubosoftware/node-static
Package
- Name
- @nubosoftware/node-static
- View open source insights on deps.dev
- Purl
- pkg:npm/%40nubosoftware/node-static