Open Redirect

Module: serve-static

Published: January 13th, 2015

Reported by: Pierre-√Člie Fauch√©

CVE-2015-1164

Vulnerable: <1.6.5 || >=1.7.0 <1.7.2
Patched: ~1.6.5 || >=1.7.2

Overview

When using serve-static middleware version < 1.7.2 and it's configured to mount at the root it creates an open redirect on the site.

For example: If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to //www.google.com/%2e%2e, which some browsers interpret as http://www.google.com/%2e%2e.

Remediation

  • Update to version 1.7.2 or greater (or 1.6.5 if sticking to the 1.6.x line).
    • Disable redirects if not using the feature with 'redirect: false' option and cannot upgrade.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo