CVE-2017-16160
Description
11xiaoli is a simple file server. 11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
11xiaoli simple file server is vulnerable to directory traversal via "../" in the URL, allowing arbitrary file read.
Vulnerability
11xiaoli is a simple file server package for Node.js. All versions are vulnerable to a directory traversal issue [1], [2]. By placing the ../ sequence in the URL, an attacker can access files outside the intended serving directory. No specific configuration is required to trigger the vulnerability; the server directly uses user-supplied path segments without sanitization [2].
Exploitation
An attacker needs only network access to the server and can send a crafted HTTP GET request. The exploit path includes sequences such as ../../../etc/passwd to traverse up the directory tree [2]. No authentication or special privileges are required. Public proof-of-concept code exists that demonstrates reading arbitrary files [2].
Impact
Successful exploitation allows an attacker to read arbitrary files from the server's filesystem with the privileges of the Node.js process. This leads to information disclosure of sensitive data, such as configuration files, passwords, or application source code [1], [2].
Mitigation
As of the last available information, no fix or patched version of 11xiaoli has been released [1], [2]. The package is no longer maintained. Users should avoid using this package in production and migrate to an alternative file server that properly sanitizes user input. No workaround is provided in the references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
11xiaolinpm | >= 0.0.0 | — |
Affected products
3- HackerOne/11xiaoli node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-x2jj-x3q2-7hphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16160ghsaADVISORY
- github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/11xiaolighsax_refsource_MISCWEB
- nodesecurity.io/advisories/395mitrex_refsource_MISC
- www.npmjs.com/advisories/395ghsaWEB
News mentions
0No linked articles in our index yet.