<ul> <li>Update to version 1.7.2 or greater (or 1.6.5 if sticking to the 1.6.x line).<ul> <li>Disable redirects if not using the feature with 'redirect: false' option and cannot upgrade.</li> </ul> </li> </ul>

Open Redirect Affecting serve-static package, versions <1.6.5 >=1.7.0 <1.7.2

Snyk CVSS

Attack Complexity High

User Interaction Required

Threat Intelligence

EPSS 0.35% (72^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:serve-static:20150113
published 13 Jan 2015
disclosed 13 Jan 2015
credit Pierre-Élie Fauché

Report a new vulnerability Found a mistake?

Introduced: 13 Jan 2015

CVE-2015-1164 Open this link in a new tab CWE-601 Open this link in a new tab

How to fix?

Update to version 1.7.2 or greater (or 1.6.5 if sticking to the 1.6.x line).
- Disable redirects if not using the feature with 'redirect: false' option and cannot upgrade.

Overview

When using serve-static middleware version < 1.7.2 and it's configured to mount at the root, it creates an open redirect on the site.

Source: Node Security Project

Details

For example:

If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to //www.google.com/%2e%2e, which some browsers interpret as http://www.google.com/%2e%2e.