CVE-2017-16186
Description
360class.jansenhm is a static file server. 360class.jansenhm is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
360class.jansenhm static file server is vulnerable to directory traversal via '../' in URL, allowing file system access.
Vulnerability
The 360class.jansenhm package is a static file server for Node.js. It is vulnerable to a directory traversal attack. By including ../ sequences in the URL, an attacker can escape the intended web root directory and access arbitrary files on the server's filesystem. The vulnerability exists in all versions of the package, as no specific version range is provided in the available references [1].
Exploitation
An attacker can exploit this vulnerability by sending an HTTP request to the server with a crafted URL containing ../ path traversal sequences. No authentication or special privileges are required. For example, requesting http://target/../etc/passwd would retrieve the system's password file. The GitHub proof-of-concept repository demonstrates the attack [2].
Impact
Successful exploitation allows an attacker to read any file on the server's filesystem that the server process has access to. This leads to information disclosure of sensitive data such as configuration files, source code, or system files. The attacker gains no write or execute capabilities, but the confidentiality impact is high.
Mitigation
As of the publication date (2018-06-07), no patched version of 360class.jansenhm has been released. The package appears to be unmaintained. The recommended mitigation is to remove the package from the project and replace it with a secure alternative static file server. No workaround is available.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
360class.jansenhmnpm | >= 0.0.0 | — |
Affected products
3- HackerOne/360class.jansenhm node modulev5Range: All versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-25jw-gcfj-283jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16186ghsaADVISORY
- github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/360class.jansenhmghsax_refsource_MISCWEB
- nodesecurity.io/advisories/448mitrex_refsource_MISC
- www.npmjs.com/advisories/448ghsaWEB
News mentions
0No linked articles in our index yet.