Skip to content

Open Redirect in serve-static

Low severity GitHub Reviewed Published Aug 31, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm serve-static (npm)

Affected versions

< 1.6.5
>= 1.7.0, < 1.7.2

Patched versions

1.7.2
1.7.2

Description

Versions of serve-static prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.

Proof of Concept

A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e

Some browsers will interpret this as http://www.google.com/%2e%2e, resulting in an external redirect.

Recommendation

Version 1.7.x: Update to version 1.7.2 or later.
Version 1.6.x: Update to version 1.6.5 or later.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Aug 31, 2020
Last updated Jan 9, 2023

Severity

Low
3.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Weaknesses

CVE ID

CVE-2015-1164

GHSA ID

GHSA-c3x7-gjmx-r2ff

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.