Description
The @vivaxy/here module is a small web server that serves files with the process’ working directory acting as the web root.
It is vulnerable to a directory traversal attack.
This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files.
Recommendation
Update the @vivaxy/here package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.2.1
- Patched version(s): 3.2.2
References
Related Issues
- Stimulsoft Dashboard.JS directory traversal vulnerability - CVE-2024-24398
- Directory Traversal vulnerability in serve-lite - CVE-2022-21192
- Directory Traversal - Vulnerability
- MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 - CVE-2025-67898
You might also like:
- Tags:
- npm
- @vivaxy/here
Anything's wrong? Let us know Last updated on January 09, 2023


