Moderate severityNVD Advisory· Published Jun 7, 2018· Updated Sep 17, 2024

CVE-2018-3715

Description

A path traversal vulnerability in glance node module before 3.0.4 allows reading arbitrary files with known paths.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in glance node module before 3.0.4 allows reading arbitrary files with known paths.

Vulnerability

The glance node module before version 3.0.4 contains a path traversal vulnerability due to lack of validation of the path passed to it [1][2]. The flaw exists in the serveRequest method, where an attacker can supply a path that escapes the intended root directory [3]. All versions prior to the fix are affected [2].

Exploitation

An attacker needs only network access to the glance instance and the ability to send HTTP requests [1]. By manipulating the path parameter (e.g., using ../ sequences), the attacker can traverse outside the root directory [3]. No authentication or special privileges are required [1].

Impact

Successful exploitation allows an attacker to read the content of any file on the system, provided the file's path is known [1][2]. This leads to unauthorized disclosure of sensitive information, such as configuration files, source code, or credentials [1].

Mitigation

All users should upgrade to glance version 3.0.4 or later, which includes a fix that checks if the requested path starts with the root directory and returns a 403 error if the path attempts to traverse outside it [3]. No workarounds are documented in the available references.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
glancenpm	< 3.0.4	3.0.4

Affected products

ghsa-coords
pkg:npm/glance
Range: < 3.0.4
HackerOne/glance node modulev5
Range: Versions before 3.0.4

Patches

8cfd88e44ebd

fix security vulnerability

https://github.com/jarofghosts/glanceJesse KeaneFeb 1, 2018via ghsa

commit

6 files changed · +3499 −4

.gitignore+61 −0 added

@@ -0,0 +1,61 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Typescript v1 declaration files
+typings/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+
+# next.js build output
+.next

index.js+5 −0 modified

@@ -70,6 +70,11 @@ Glance.prototype.serveRequest = function Glance$serveRequest (req, res) {
   request.method = req.method.toLowerCase()
   request.response = res
 
+  // prevent traversing directories that are parents of the root
+  if (request.fullPath.slice(0, self.dir.length) !== self.dir) {
+    return self.emit('error', 403, request, res)
+  }
+
   if (request.method !== 'get') {
     return self.emit('error', 405, request, res)
   }

package.json+1 −0 modified

@@ -31,6 +31,7 @@
     "bash-color": "0.0.3",
     "filed": "0.1.0",
     "html-ls": "1.0.0",
+    "mime": "1.2.6",
     "nopt": "3.0.4",
     "utils-fs-exists": "1.0.1",
     "xtend": "4.0.0"

package-lock.json+3419 −0 added

test/index.js+8 −0 modified

@@ -71,6 +71,14 @@ test('403s on dir list if configured', function (t) {
   })
 })
 
+test('403s if path traversal is attempted', function (t) {
+  t.plan(1)
+
+  http.get('http://localhost:1666/../index.js', function (res) {
+    t.strictEqual(res.statusCode, 403)
+  })
+})
+
 test('serves index page', function (t) {
   t.plan(2)

.travis.yml+5 −4 modified

@@ -1,6 +1,7 @@
 language: node_js
 node_js:
-  - "4.0"
-  - "0.12"
-  - "0.11"
-  - "0.10"
+  - node
+  - lts/*
+  - 8
+  - 6
+  - 4

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2x4q-6jfv-8h9hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-3715ghsaADVISORY
github.com/jarofghosts/glance/commit/8cfd88e44ebd3f07e3a2eaf376a3e758b6c4ca19ghsax_refsource_MISCWEB
hackerone.com/reports/310106ghsax_refsource_MISCWEB
www.npmjs.com/advisories/590ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000