CVE-2018-16485

Vulnerability

A path traversal vulnerability exists in the npm module m-server versions prior to 1.4.1 [1][2]. The web server does not properly sanitize URL paths; by appending trailing slashes to a request, an unauthenticated attacker can traverse outside the intended document root and read the contents of any file on the system. For example, requesting /etc/passwd with extra slashes bypasses the access control and serves the file directly [1].

Exploitation

The attacker does not require any authentication or special network position; they simply need to send crafted HTTP requests to a running instance of m-server. By adding one or more trailing slashes to a path segment (e.g., /etc/passwd/../ or //etc/passwd), the server fails to properly resolve the path and returns the target file's content. This is a low-skill, low-complexity exploit that can be carried out with standard HTTP tools [1][2].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive file contents on the server filesystem. An attacker can read configuration files, credentials, or other confidential data such as /etc/passwd. The confidentiality of the entire system is compromised; there is no indication of write access or code execution. The impact is limited to information disclosure but can be severe if the leaked data enables further attacks [1][2].

Mitigation

Upgrade to m-server version 1.4.1 or later, which fixes the path traversal issue [2]. If upgrading is not immediately possible, deploy a reverse proxy (e.g., Nginx) with strict path and slash normalization rules as a workaround. The vulnerability is publicly documented on HackerOne (report #319795) and in the GitHub Advisory Database (GHSA-899g-6q6w-7v94). There is no evidence that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog [1][2].