Path Traversal in crud-file-server

Description

Versions of crud-file-server prior to 0.9.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.

Recommendation

Update the crud-file-server package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.9.0
• Patched version(s): 0.9.0

References

• GHSA-vfp9-gwrh-wq9g
• hackerone.com
• www.npmjs.com
• CVE-2018-3733
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Cross-site Scripting (XSS) - Stored in crud-file-server - CVE-2018-3726
• Path Traversal in general-file-server - CVE-2018-3724
• Path Traversal in http-file-server - CVE-2019-5447
• Path Traversal in angular-http-server - CVE-2018-3713

Tags:

npm

crud-file-server