Affected versions of
serve-here resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.
Proof of Concept:
To install the replacement package:
npm i @vivaxy/here
publishedAdvisory publishedJan 12th, 2018
reportedInitial report by Yasin SolimanJan 11th, 2018