Cross-Site Scripting in min-http-server

Severity:: Medium

Description

All versions of min-http-server are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing malicious code.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.0.6

References

GHSA-j657-59rv-qwm6
hackerone.com
www.npmjs.com
CVE-2019-5457
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

pg-promise SQL Injection vulnerability - CVE-2025-29744
njwt Prototype Pollution vulnerability - CVE-2024-34273
Elliptic allows BER-encoded signatures - CVE-2024-42461
ejs lacks certain pollution protection - CVE-2024-33883

Tags:: npm; min-http-server

Anything's wrong? Let us know Last updated on January 27, 2023