Cross-Site Scripting in min-http-server

Description

All versions of min-http-server are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim’s browser through files with names containing malicious code.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.0.6

References

• GHSA-j657-59rv-qwm6
• hackerone.com
• www.npmjs.com
• CVE-2019-5457
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Cross-Site Scripting in http-file-server - CVE-2019-5458
• Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
• Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
• DOM-based cross-site scripting in Froala Editor - CVE-2019-19935

You might also like:

Exploiting Server Version Disclosure

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

min-http-server