npm

Severity: low

Open Redirect

serve-static

Overview

Versions of serve-static prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.

Proof of Concept

A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e

Some browsers will interpret this as http://www.google.com/%2e%2e, resulting in an external redirect.

Remediation

Version 1.7.x: Update to version 1.7.2 or later. Version 1.6.x: Update to version 1.6.5 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. reported

    Initial report by Pierre-Élie Fauché
    Oct 17th, 2015
  2. published

    Advisory published
    Jan 13th, 2015