Description
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 12.2.0
References
Related Issues
- MJML vulnerable to path traversal - CVE-2020-12827
- Path traversal in rollup-plugin-serve - CVE-2020-7684
- mapshaper Path Traversal vulnerability - CVE-2024-1163
- @google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script - CVE-2026-4092
- Tags:
- npm
- droppy
Anything's wrong? Let us know Last updated on February 01, 2023