Cross-Site Scripting in http-file-server

Severity:: Medium

Description

All versions of http-file-server are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing malicious code.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.2.6

References

GHSA-7j93-2h6r-hm49
hackerone.com
www.npmjs.com
CVE-2019-5458
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

tarteaucitron Cross-site Scripting (XSS) - CVE-2025-1467
Cross site scripting in markdown-to-jsx - CVE-2024-21535
uPlot Prototype Pollution vulnerability - CVE-2024-21489
FUXA local file inclusion vulnerability - CVE-2023-31718

Tags:: npm; http-file-server

Anything's wrong? Let us know Last updated on February 01, 2023