Open Redirect

Affecting node-static package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

node-static is a rfc 2616 compliant HTTP static-file server module, with built-in caching.

Affected versions of this package are vulnerable to Open Redirect. The package fails to sanitize URLs and may redirect users to domains passed through the URL. The possible redirect domains are restricted to hosts whose name matches a served folder from the application. For example if the application serves the folder ./public and has a folder ./public/example.com, accessing localhost:8080//example.com redirects to https://www.example.com/.

Remediation

A fix was pushed into the master branch but not yet published.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:R
Credit
Unknown
CWE
CWE-601
Snyk ID
SNYK-JS-NODESTATIC-1297184
Disclosed
28 May, 2021
Published
28 May, 2021