st@0.1.3 vulnerabilities

A module for serving static files. Does etags, caching, etc.

Direct Vulnerabilities

Known vulnerabilities in the st package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Open Redirect

st is a module for serving static files.

Affected versions of this package are vulnerable to Open Redirect. A malicious user could send a specially crafted request, which would automatically redirect the request to another domain, controlled by the attacker.

Note: st will only redirect if requests are served from the root(/) and not from a subdirectory

<1.2.2
  • M
Open Redirect

st is a module for serving static files.

Affected versions of this package are vulnerable to Open Redirect. A malicious user could send a specially crafted request, which would automatically redirect the request to another domain, controlled by the attacker.

Note: st will only redirect if requests are served from the root(/) and not from a subdirectory

<1.2.2
  • M
Directory Traversal

Versions prior to 0.2.5 did not properly prevent path traversal. Literal dots in a path were resolved out, but url encoded dots were not. Thus, a request like /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd would leak sensitive files and data from the server.

As of version 0.2.5, any '/../' in the request path, urlencoded or not, will be replaced with '/'. If your application depends on url traversal, then you are encouraged to please refactor so that you do not depend on having .. in url paths, as this tends to expose data that you may be surprised to be exposing.

How to fix Directory Traversal?

Upgrade to version 0.2.5 or greater.

<0.2.5