Directory traversal in rollup-plugin-server (GHSA-34gh-3cwv-wvp2)

Severity:: High

Description

This affects all versions of package rollup-plugin-server. There is no path sanitization in readFile operation performed inside the readFileFromContentBase function.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.7.0

References

GHSA-34gh-3cwv-wvp2
snyk.io
CVE-2020-7683
CWE-22
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Directory traversal in rollup-plugin-server - CVE-2020-7686
Path traversal in rollup-plugin-serve - CVE-2020-7684
MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 - CVE-2025-67898
Server-Side Request Forgery in @uppy/companion (GHSA-mm7r-265w-jv6f) - CVE-2020-8135

Tags:: npm; rollup-plugin-server

Anything's wrong? Let us know Last updated on January 09, 2023