Open Redirect

Module: serve-static

Published: January 13th, 2015

Reported by: Pierre-Élie Fauché

CVE-2015-1164

CWE-601

Vulnerable: <1.6.5 || >=1.7.0 <1.7.2
Patched: ~1.6.5 || >=1.7.2

Overview

Versions of serve-static prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.

Proof of Concept

A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e

Some browsers will interpret this as http://www.google.com/%2e%2e, resulting in an external redirect.

Remediation

Version 1.7.x: Update to version 1.7.2 or later. Version 1.6.x: Update to version 1.6.5 or later.

References

Issue #26