Directory Traversal

Module: send

Published: September 12th, 2014

Reported by: Ilya Kantor

CVE-2014-6394

CWE-22

Vulnerable: < 0.8.4
Patched: >= 0.8.4

Overview

Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.

For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

Remediation

Update to version 0.8.4 or later.

References

PR #59 Commit #9c6ca9b