Severity: low

    Directory Traversal

    send

    Overview

    Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.

    For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

    Remediation

    Update to version 0.8.4 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory published
      Sep 12th, 2014
    2. reported

      Initial report by Ilya Kantor
      Oct 17th, 2015