All versions of http-file-server
are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.
No fix is currently available. Consider using an alternative package until a fix is made available.