GHSA-2mp5-m968-gwr2

Source

https://github.com/advisories/GHSA-2mp5-m968-gwr2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-2mp5-m968-gwr2/GHSA-2mp5-m968-gwr2.json

Aliases

CVE-2019-5447

Published

2019-07-16T00:41:34Z

Modified

2023-11-08T04:01:36.410213Z

Details

All versions of http-file-server are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References

https://nvd.nist.gov/vuln/detail/CVE-2019-5447
https://hackerone.com/reports/570133
https://www.npmjs.com/advisories/1077

Affected packages

npm / http-file-server

Package

Name: http-file-server

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Database specific

{
    "last_known_affected_version_range": "< 0.2.6"
}