hostr@1.1.3 vulnerabilities

A simple web server for the current working directory. Used for hello world style web sites hosting only files in current directory structure. Watches files and integrates with LiveReload.

Direct Vulnerabilities

Known vulnerabilities in the hostr package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Directory Traversal

hostr is a simple web server for the current working directory. Used for hello world style web sites hosting only files in current directory structure. Watches files and integrates with LiveReload. Affected versions of the package do not filter http GET requests in javascript code, allowing an attacker to retrieve confidential files over the network by requesting urls like: http://localhost:3000/../../../etc/passwd. CURLing the same request will not succeed.

Many thanks to Liang Gong for disclosing this vulnerability.

How to fix Directory Traversal?

Upgrade hostr to version 2.3.6 or higher.

<2.3.6