Beware of Directory Traversal Vulnerability in Node-Static Package

CVECVE-2023-26111
CVSScvssV3_1: 7.5
SourceCVE-2023-26111

The Node-Static package, which is a popular Node.js module for serving static files, has been found to contain a Directory Traversal vulnerability. Node-Static is used by many websites and applications to serve front-end files like HTML, CSS and JavaScript.

The vulnerability arises due to improper sanitization of file paths in the startsWith() method used in the servePath function. This could allow a malicious attacker to access files outside of the intended directory that are not meant to be publicly accessible. For example, the attacker could retrieve application configuration files containing sensitive database credentials or access restricted areas of the file system.

To exploit this, the attacker would craft a specially crafted HTTP request containing encoded path sequences to traverse up the directory tree. If not handled correctly by the application, this could reveal files that should be hidden.

The current CVSS score of this vulnerability is rated at 7.5 out of 10, indicating a high severity issue. All versions of Node-Static are affected.

If you are using Node-Static in your application, you should immediately upgrade to the latest version to patch this vulnerability. Also ensure your application validates and sanitizes file paths before serving content. Proper authorization checks should be implemented to control access. Staying on top of software updates is key to protecting yourself from such security issues.

References