Open Redirect

Affecting serve-static package, versions <1.6.5 || >=1.7.0 <1.7.2

Do your applications use this vulnerable package? Test your applications

Overview

When using serve-static middleware version < 1.7.2 and it's configured to mount at the root, it creates an open redirect on the site.

Source: Node Security Project

Details

For example:

If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to //www.google.com/%2e%2e, which some browsers interpret as http://www.google.com/%2e%2e.

Remediation

  • Update to version 1.7.2 or greater (or 1.6.5 if sticking to the 1.6.x line).
  • Disable redirects if not using the feature with 'redirect: false' option and cannot upgrade.

References

Snyk patch available for versions:

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Credit
Pierre-Élie Fauché
CVE
CVE-2015-1164
CWE
CWE-601
Snyk ID
npm:serve-static:20150113
Disclosed
13 Jan, 2015
Published
13 Jan, 2015