CVE-2018-3731
Description
Path Traversal in the 'public' npm module allows reading arbitrary files due to unvalidated filePath input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path Traversal in the 'public' npm module allows reading arbitrary files due to unvalidated filePath input.
Vulnerability
The public npm module before version 0.1.2 (inclusive) contains a Path Traversal vulnerability in its HTTP server implementation. The module fails to validate the filePath parameter, allowing an attacker to read any file on the system with a known path by supplying a relative path containing ../ sequences [1], [2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the server with a filePath containing path traversal sequences (e.g., ../../../etc/passwd). No authentication is required, and the attacker only needs network access to the server [1], [2].
Impact
Successful exploitation allows an attacker to read the contents of any file on the server's filesystem where the server process has read permissions. This can lead to disclosure of sensitive information, such as configuration files, source code, or user credentials [1], [2].
Mitigation
The vulnerability was fixed in commit eae8ad8017b260f8667ded5e12801bd72b877af2 by adding a check that resolves the absolute path and verifies it is within the intended directory root; if not, the server returns a 403 Forbidden response [3]. Users should upgrade to version 0.1.3 or later. The repository has been archived, so no further updates will be provided.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publicnpm | < 0.1.3 | 0.1.3 |
Affected products
2- HackerOne/public node modulev5Range: All versions
Patches
11 file changed · +8 −0
bin/public+8 −0 modified@@ -67,6 +67,7 @@ switch (args[0]) { } } } +var root = path.resolve(dir); if (path) { http.createServer(function(req, res) { @@ -75,6 +76,13 @@ if (path) { var base = filePath.replace(dir, ''); // Base path for browser link var abs = path.resolve(filePath); console.log(new Date().toString(), abs); + + if (abs.indexOf(root) !== 0) { + res.writeHead(403, { 'Content-Type': 'text/plain' }); + res.end('Forbidden\n'); + return; + } + fs.readFile(filePath, function(err, data) { if (err) { res.writeHead(200, { 'Content-Type': 'text/html' });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-rwv8-jvff-jq28ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-3731ghsaADVISORY
- github.com/tnantoka/public/commit/eae8ad8017b260f8667ded5e12801bd72b877af2ghsaWEB
- hackerone.com/reports/312918ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/571ghsaWEB
News mentions
0No linked articles in our index yet.