CVE-2017-16164
Description
desafio is a simple web server. desafio is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url, but is limited to accessing only .html files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
desafio web server (≤1.1.0) is vulnerable to directory traversal, allowing access to arbitrary .html files via '../' sequences in the URL.
Vulnerability
desafio is a simple Node.js-based web server [1]. Versions up to and including 1.1.0 are vulnerable to a directory traversal attack [3]. By placing ../ sequences in the URL, an attacker can read files outside the intended web root, though the server restricts access to files with a .html extension only [1].
Exploitation
An attacker needs only network access to the running desafio server. No authentication or special privileges are required. The attacker crafts an HTTP request containing path traversal patterns (e.g., ../../file.html) in the URL path, which the server processes and serves the corresponding .html file from the filesystem [1][2].
Impact
Successful exploitation allows an attacker to read arbitrary .html files from the server's filesystem, potentially exposing sensitive information such as configuration files, internal documentation, or other HTML-based content that should not be publicly accessible [1].
Mitigation
As of the available references, no patched version of desafio has been released [3]. The advisory notes that the package is no longer maintained [3]. Users should migrate to an alternative web server or remove the package from production environments. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
desafionpm | <= 1.1.0 | — |
Affected products
3- HackerOne/desafio node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-f499-jv47-9wxfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16164ghsaADVISORY
- github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/desafioghsax_refsource_MISCWEB
- nodesecurity.io/advisories/397mitrex_refsource_MISC
- www.npmjs.com/advisories/397ghsaWEB
News mentions
0No linked articles in our index yet.