VYPR
← All advisories
Moderate severityNVD Advisory· Published May 29, 2018· Updated Sep 17, 2024

CVE-2014-10068

CVE-2014-10068

Description

The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when showHidden is false.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In inert before 1.1.1, the directory handler served files in hidden directories even when `showHidden` was false, leaking sensitive data.

Vulnerability

The inert directory handler in the inert node module (npm package inert) before version 1.1.1 always allows files in hidden directories to be served, even when the showHidden option is set to false [1][2]. The bug exists in the handler's logic that ignores the showHidden flag when determining whether to serve files from directories whose names start with a dot (.) [3]. Affected versions are all prior to 1.1.1.

Exploitation

An attacker does not need authentication if the directory route is publicly accessible. The attacker simply sends a request for a file or directory listing within a hidden directory (e.g., /.dot/config.json or /.dot/). The server incorrectly returns the file or listing content instead of a 404 response [1][3]. No special privileges or race conditions are required.

Impact

Successful exploitation allows an attacker to read files inside hidden directories that the administrator intended to keep hidden. This can lead to disclosure of sensitive configuration files, application secrets, or other data stored in dot-prefixed directories, violating the confidentiality of the system [1][2].

Mitigation

The fix was released in inert version 1.1.1, which correctly returns a 404 response when showHidden is false and the requested path is in a hidden directory [1][2][3]. Users should upgrade to inert 1.1.1 or later. There is no known workaround, and the package is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Don't allow files in hidden directories to be served by kanongil · Pull Request #15 · hapijs/inert
  2. NVD - CVE-2014-10068
  3. Merge pull request #15 from kanongil/hide-fix-1.1 · hapijs/inert@e8f99f9

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
inertnpm
< 1.1.11.1.1

Affected products

3

Patches

1
e8f99f94da4c

Merge pull request #15 from kanongil/hide-fix-1.1

https://github.com/hapijs/inertEran HammerDec 4, 2014via ghsa
commit
3 files changed · +52 4
  • lib/directory.js+1 1 modified
    @@ -229,7 +229,7 @@ internals.generateListing = function (path, resource, selection, hasTrailingSlas
 
 internals.isFileHidden = function (path) {
 
-    return /^\./.test(Path.basename(path));
+    return /(^|[\\\/])\.([^\\\/]|[\\\/]?$)/.test(path);           // Starts with a '.' or contains '/.' or '\.', and not followed by a '/' or '\' or end
 };
  • package.json+1 1 modified
    @@ -1,7 +1,7 @@
 {
   "name": "inert",
   "description": "Static file and directory handlers for hapi.js",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "repository": "git://github.com/hapijs/inert",
   "main": "index",
   "keywords": [
  • test/directory.js+50 2 modified
    @@ -274,7 +274,7 @@ describe('handler()', function () {
         });
     });
 
-    it('returns the index when found in hidden folder', function (done) {
+    it('returns the index when served from a hidden folder', function (done) {
 
         var server = provisionServer({ files: { relativeTo: __dirname } });
         server.route({ method: 'GET', path: '/{path*}', handler: { directoryTest: { path: './directory/.dot' } } });
@@ -293,7 +293,7 @@ describe('handler()', function () {
         });
     });
 
-    it('returns listing when found in hidden folder', function (done) {
+    it('returns listing when served from a hidden folder', function (done) {
 
         var server = provisionServer({ files: { relativeTo: __dirname } });
         server.route({ method: 'GET', path: '/{path*}', handler: { directoryTest: { path: './directory/.dot', index: false, listing: true } } });
@@ -373,6 +373,35 @@ describe('handler()', function () {
         });
     });
 
+    it('returns a 404 response when requesting a file in a hidden directory when showHidden is disabled', function (done) {
+
+        var server = provisionServer({ files: { relativeTo: __dirname } });
+        server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', listing: true } } });
+
+        server.inject('/noshowhidden/.dot/index.html', function (res) {
+
+            expect(res.statusCode).to.equal(404);
+
+            server.inject('/noshowhidden/.dot/', function (res) {
+
+                expect(res.statusCode).to.equal(404);
+                done();
+            });
+        });
+    });
+
+    it('returns a 404 response when requesting a hidden directory listing when showHidden is disabled', function (done) {
+
+        var server = provisionServer({ files: { relativeTo: __dirname } });
+        server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', listing: true, index: false } } });
+
+        server.inject('/noshowhidden/.dot/', function (res) {
+
+            expect(res.statusCode).to.equal(404);
+            done();
+        });
+    });
+
     it('returns a file when requesting a hidden file when showHidden is enabled', function (done) {
 
         var server = provisionServer({ files: { relativeTo: __dirname } });
@@ -385,6 +414,25 @@ describe('handler()', function () {
         });
     });
 
+    it('returns a a file when requesting a file in a hidden directory when showHidden is enabled', function (done) {
+
+        var server = provisionServer({ files: { relativeTo: __dirname } });
+        server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', showHidden: true, listing: true } } });
+
+        server.inject('/noshowhidden/.dot/index.html', function (res) {
+
+            expect(res.statusCode).to.equal(200);
+            expect(res.payload).to.contain('test');
+
+            server.inject('/noshowhidden/.dot/', function (res) {
+
+                expect(res.statusCode).to.equal(200);
+                expect(res.payload).to.contain('test');
+                done();
+            });
+        });
+    });
+
     it('redirects to the same path with / appended if asking for a directory', function (done) {
 
         var server = provisionServer({ files: { relativeTo: __dirname } });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.