Medium severity5.3NVD Advisory· Published Jan 23, 2017· Updated May 13, 2026

CVE-2015-8859

Description

The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sendnpm	< 0.11.1	0.11.1

Affected products

Send Project/Send
cpe:2.3:a:send_project:send:*:*:*:*:*:node.js:*:*
Range: <0.11.1

Patches

98a5b89982b3

Fix root path disclosure

https://github.com/pillarjs/sendDouglas Christopher WilsonJan 20, 2015via ghsa

commit

3 files changed · +21 −5

History.md+5 −0 modified

@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix `root` path disclosure
+
 0.11.0 / 2015-01-05
 ===================

index.js+5 −5 modified

@@ -415,16 +415,16 @@ SendStream.prototype.pipe = function(res){
 
   var parts
   if (root !== null) {
-    // join / normalize from optional root dir
-    path = normalize(join(root, path))
-    root = normalize(root + sep)
-
     // malicious path
-    if ((path + sep).substr(0, root.length) !== root) {
+    if (upPathRegexp.test(normalize('.' + sep + path))) {
       debug('malicious path "%s"', path)
       return this.error(403)
     }
 
+    // join / normalize from optional root dir
+    path = normalize(join(root, path))
+    root = normalize(root + sep)
+
     // explode path parts
     parts = path.substr(root.length).split(sep)
   } else {

test/send.js+11 −0 modified

@@ -1170,6 +1170,17 @@ describe('send(file, options)', function(){
         .get('/../name.dir/name.txt')
         .expect(403, done)
       })
+
+      it('should not allow root path disclosure', function(done){
+        var app = http.createServer(function(req, res){
+          send(req, req.url, {root: __dirname + '/fixtures'})
+          .pipe(res);
+        });
+
+        request(app)
+        .get('/pets/../../fixtures/name.txt')
+        .expect(403, done)
+      })
     })
 
     describe('when missing', function(){

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

nodesecurity.io/advisories/56nvdBroken LinkPatchVendor Advisory
www.openwall.com/lists/oss-security/2016/04/20/11nvdMailing ListThird Party AdvisoryWEB
www.securityfocus.com/bid/96435nvdBroken LinkThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-jgqf-hwc5-hh37ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-8859ghsaADVISORY
github.com/expressjs/serve-static/blob/master/HISTORY.mdghsaWEB
github.com/pillarjs/send/commit/98a5b89982b38e79db684177cf94730ce7fc7aedghsaWEB
github.com/pillarjs/send/pull/70ghsaWEB
web.archive.org/web/20200227192016/https://www.securityfocus.com/bid/96435ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000