High severityNVD Advisory· Published Dec 17, 2018· Updated Aug 5, 2024
CVE-2017-18355
CVE-2017-18355
Description
Rendertron 1.0.0 exposes installed package paths via the _where attribute in package.json, enabling remote path disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rendertron 1.0.0 exposes installed package paths via the `_where` attribute in `package.json`, enabling remote path disclosure.
Vulnerability
Rendertron version 1.0.0 and possibly earlier versions expose the file system path of installed packages through the _where attribute in package.json files located under the node_modules directory [1]. This occurs because the node_modules directory is served or accessible to clients, allowing an attacker to retrieve package.json files that contain absolute installation paths in the _where field. No authentication or special configuration is required for this exposure, as it is inherent in the default deployment of Rendertron 1.0.0 [1][2].
Exploitation
An attacker with network access to a running Rendertron 1.0.0 instance can simply request a package.json file from the node_modules directory via HTTP, for example by navigating to a path like /node_modules//package.json [1]. The server returns the file content, which includes the _where attribute revealing the absolute path on the server's filesystem. No user interaction or elevated privileges are needed [1].
Impact
Successful exploitation allows a remote attacker to discover the absolute file system path of the Rendertron server [1]. This information disclosure can aid in further attacks, such as identifying the server's directory structure for subsequent exploitation of other vulnerabilities. The exposure is limited to path disclosure; it does not directly enable code execution or data modification.
Mitigation
Rendertron has been deprecated and is not actively maintained [2]. The official recommendation is to avoid using dynamic rendering solutions and adopt alternative approaches [2]. The project's GitHub repository indicates it is archived and no further fixes will be released [2][3]. If continued use is necessary, administrators should restrict access to the node_modules directory via web server configuration (e.g., deny rules in nginx or Apache) to prevent direct file access [1]. No single fixed version is available; the vulnerability remains unpatched in the last release (1.0.0).
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rendertronnpm | < 1.1.0 | 1.1.0 |
Affected products
1Patches
18d70628c96aecopyright headers (#72)
20 files changed · +309 −0
middleware/src/middleware.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const request = require('request');
middleware/test/middleware-test.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const express = require('express');
src/cache.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const datastore = require('@google-cloud/datastore')();
src/index.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <!doctype html> <html lang="en"> <head>
src/main.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const assert = require('assert');
src/renderer.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const CDP = require('chrome-remote-interface');
test/app-test.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const request = require('supertest');
test/cache-test.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const test = require('ava');
test/resources/basic-script.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script> var element = document.createElement('title'); element.textContent = 'document' + '-title';
test/resources/custom-element.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script> class MyElement extends HTMLElement { constructor() {
test/resources/explicit-render-event.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script> setTimeout(() => { document.body.textContent = 'async loaded';
test/resources/http-meta-status-code.html+15 −0 modified@@ -1 +1,16 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <meta name="render:status_code" content="400"> \ No newline at end of file
test/resources/http-meta-status-code-multiple.html+15 −0 modified@@ -1,2 +1,17 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <meta name="render:status_code" content="401"> <meta name="render:status_code" content="402"> \ No newline at end of file
test/resources/include-script.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script src="inject-element-after-load.js"></script> <link rel="import" href="custom-element.html"> <custom-element></custom-element>
test/resources/inject-element-after-load.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + window.onload = function() { var element = document.createElement('div'); element.textContent = 'injected' + 'Element';
test/resources/inject-element.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + var element = document.createElement('div'); element.textContent = 'injectedElement'; document.body.appendChild(element); \ No newline at end of file
test/resources/script-after-load.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script> window.onload = function() { var script = document.createElement('script');
test/resources/shadow-dom-no-polyfill.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <my-element></my-element> <script> class MyElement extends HTMLElement {
test/resources/shadow-dom-polyfill-all.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script src="node_modules/@webcomponents/webcomponentsjs/webcomponents-lite.js"></script> <my-element></my-element> <script>
test/resources/shadow-dom-polyfill-loader.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script src="node_modules/@webcomponents/webcomponentsjs/webcomponents-loader.js"></script> <my-element></my-element> <script>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vqmr-957g-r7w3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-18355ghsaADVISORY
- bugs.chromium.org/p/chromium/issues/detailghsax_refsource_MISCWEB
- github.com/GoogleChrome/rendertron/commit/8d70628c96ae72eff6eebb451d26fc9ed6b58b0eghsax_refsource_MISCWEB
- github.com/GoogleChrome/rendertron/pull/88ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.