GHSA-62jr-84gf-wmg4

Suggest an improvement
Source
https://github.com/advisories/GHSA-62jr-84gf-wmg4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-62jr-84gf-wmg4/GHSA-62jr-84gf-wmg4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-62jr-84gf-wmg4
Aliases
Related
Published
2024-01-16T15:24:41Z
Modified
2024-02-16T15:30:26Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Default swagger-ui configuration exposes all files in the module
Details

Impact

The default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module.

Patches

Update to v2.1.0

Workarounds

Use the baseDir option

References

HackerOne report .

Database specific
{
    "nvd_published_at": "2024-01-15T16:15:13Z",
    "cwe_ids": [
        "CWE-1188"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-16T15:24:41Z"
}
References

Affected packages

npm / @fastify/swagger-ui

Package

Name
@fastify/swagger-ui
View open source insights on deps.dev
Purl
pkg:npm/%40fastify/swagger-ui

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
2.1.0