Directory Traversal

Module: send

Published: September 12th, 2014

Reported by: Ilya Kantor


Vulnerable: < 0.8.4
Patched: >= 0.8.4


When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.


Upgrade to a version greater than or equal to 0.8.4.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo