Directory Traversal

Module: serve-here

Published: January 12th, 2018

Reported by: Yasin Soliman



Vulnerable: All
Patched: None


The serve-here module is a small web server that serves files with the process' working directory acting as the web root.

It is vulnerable to a directory traversal attack.

This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files.

Mitigating Factors: If the node process is run as a user with very limited filesystem permissions, there is significantly less risk of exposing confidential/private information.

Proof of Concept:

curl "http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd"


serve-here has been deprecated by the author and replaced by @vivaxy/here

run npm i @vivaxy/here to install the new module.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo