CVE-2017-16224
Description
st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
stnpm | < 1.2.2 | 1.2.2 |
Affected products
2- Range: <=1.2.1
Patches
Vulnerability mechanics
References
4- nodesecurity.io/advisories/547nvdExploitThird Party Advisory
- github.com/advisories/GHSA-72fg-jqhx-c68pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16224ghsaADVISORY
- www.npmjs.com/advisories/547ghsaWEB
News mentions
0No linked articles in our index yet.