Cross-site Scripting (XSS) - Stored in crud-file-server

Description

Versions of crud-file-server before 0.8.0 are vulnerable to stored cross-site scripting (XSS). This is due to insufficient santiziation of filenames when directory index is served by crud-file-server.

Recommendation

Update the crud-file-server package to the latest compatible version. Followings are version details:

• Affected version(s): <= 0.7.0
• Patched version(s): 0.8.0

References

• GHSA-h24f-9mm4-w336
• hackerone.com
• www.npmjs.com
• CVE-2018-3726
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
• Path Traversal in crud-file-server - CVE-2018-3733
• Cross-Site Scripting in http-file-server - CVE-2019-5458
• Stored Cross-site Scripting (XSS) in excalidraw's web embed component - CVE-2024-32472

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

Exploiting Server Version Disclosure

Tags:

npm

crud-file-server