CVE-2017-16122

Vulnerability

cuciuci is a simple Node.js fileserver that is vulnerable to a directory traversal issue. By placing ../ sequences in the URL, an attacker can escape the intended web root directory. All versions of the package are affected [1][2].

Exploitation

The attacker sends an HTTP request with a crafted URL containing ../ sequences, such as /../../etc/passwd. No authentication or special privileges are required; the attacker only needs network access to the server. The vulnerable code path does not sanitize or validate the requested file path, allowing traversal [1][2].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server's filesystem, including sensitive configuration files or application source code. This results in information disclosure (loss of confidentiality). The attacker does not gain write access or code execution directly [1][2].

Mitigation

No official fix or updated version of cuciuci has been published. The package appears to be unmaintained; users should consider migrating to an alternative fileserver that properly sanitizes paths. There is no known workaround other than avoiding the use of this package [1][2].