CVE-2023-26111
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
06/03/2023
Last modified:
05/03/2025
Description
All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.<br />
<br />
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:\@nubosoftware\/node-static_project:\@nubosoftware\/node-static:-:*:*:*:*:node.js:*:* | ||
| cpe:2.3:a:node-static_project:node-static:-:*:*:*:*:node.js:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc
- https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163
- https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
- https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927
- https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc
- https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163
- https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
- https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927