High severityNVD Advisory· Published Sep 4, 2015· Updated May 6, 2026

CVE-2015-5688

Description

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
geddynpm	< 13.0.8	13.0.8

Affected products

Geddyjs/Geddy
cpe:2.3:a:geddyjs:geddy:13.0.7:*:*:*:*:node.js:*:*

Patches

2de63b68b3aa

Merge pull request #699 from phanect/v13-security

https://github.com/geddy/geddyJumpei OgawaJul 27, 2015via ghsa

commit

3 files changed · +12 −3

lib/app/index.js+8 −1 modified

@@ -176,7 +176,14 @@ var App = function () {
 
 
     // Get the path to the file, decoding the request URI
-    staticPath = this.config.staticFilePath + decodeURIComponent(reqUrl);
+    staticPath = path.resolve(path.join(this.config.staticFilePath, decodeURIComponent(reqUrl)));
+
+    // Prevent directory traversal
+    if (staticPath.indexOf(this.config.staticFilePath) !== 0) {
+      this.handleNotFound(reqUrl, params, reqObj, respObj);
+      return;
+    }
+
     // Ignore querystring
     staticPath = staticPath.split('?')[0];

package.json+2 −2 modified

@@ -8,7 +8,7 @@
     "MVC",
     "realtime"
   ],
-  "version": "13.0.7",
+  "version": "13.0.8",
   "author": "Matthew Eernisse <mde@fleegix.org> (http://fleegix.org)",
   "dependencies": {
     "barista": "0.2.x",
@@ -43,4 +43,4 @@
   "engines": {
     "node": "*"
   }
-}
\ No newline at end of file
+}

.travis.yml+2 −0 modified

@@ -1,6 +1,8 @@
 language: node_js
 node_js:
+  - "0.12"
   - "0.10"
+  - "iojs"
 
 before_install:
   - npm update -g npm

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/geddy/geddy/releases/tag/v13.0.8nvdPatchWEB
github.com/geddy/geddy/issues/697nvdExploitPatchWEB
nodesecurity.io/advisories/geddy-directory-traversalnvdExploit
github.com/advisories/GHSA-333x-9vgq-v2j4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-5688ghsaADVISORY
github.com/geddy/geddy/commit/2de63b68b3aa6c08848f261ace550a37959ef231nvdWEB
github.com/geddy/geddy/pull/699nvdWEB
www.npmjs.com/advisories/10ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.065
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000