Description
The @vivaxy/here module is a small web server that serves files with the process’ working directory acting as the web root.
It is vulnerable to a directory traversal attack.
This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files.
Recommendation
Update the @vivaxy/here package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.2.1
- Patched version(s): 3.2.2
References
Related Issues
- DOMpurify has a nesting-based mXSS - CVE-2024-47875
- Path Traversal in simplehttpserver - CVE-2018-16478
- Cross-Site Scripting in html-pages - CVE-2018-16481
- Path Traversal in http-server-node - CVE-2021-23797
- Tags:
- npm
- @vivaxy/here
Anything's wrong? Let us know Last updated on January 09, 2023