CVE-2017-16162
Description
22lixian is a simple file server. 22lixian is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
22lixian simple file server suffers from a directory traversal vulnerability that allows an attacker to access arbitrary files via `../` in the URL.
Vulnerability
22lixian is a simple file server for npm. Versions up to and including 1.0.0 are vulnerable to a directory traversal issue. An attacker can craft a URL containing ../ sequences to escape the intended root directory and access arbitrary files on the file system. [1][3]
Exploitation
An attacker needs only network access to the server and does not require authentication. By sending an HTTP request with ../ characters in the URL path (for example, GET /../../../etc/passwd), the server will serve the file located outside the expected web root. A proof-of-concept demonstrating the traversal is available. [2]
Impact
Successful exploitation allows an attacker to read any file on the server that the process has access to, leading to information disclosure of sensitive data such as configuration files, system files, or application secrets. The privilege level is that of the running server process. [1][2]
Mitigation
No fix has been released as of the advisory publication date (2018-07-23). The package appears to be unmaintained; users should avoid using 22lixian or migrate to an alternative file server that prevents directory traversal. [1][3]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
22lixiannpm | <= 1.0.0 | — |
Affected products
3- HackerOne/22lixian node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-rrfc-g2gh-xvjmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16162ghsaADVISORY
- github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/22lixianghsax_refsource_MISCWEB
- nodesecurity.io/advisories/390mitrex_refsource_MISC
- www.npmjs.com/advisories/390ghsaWEB
News mentions
0No linked articles in our index yet.