CVE-2018-3747

Vulnerability

The public npm package versions ≤1.0.3 [1] and <0.1.4 [2] mishandle file names that contain HTML. When a file is served from a directory that the package lists (e.g., auto-index), the raw file name is reflected without proper escaping. This allows an attacker who can upload or create files with crafted names (containing HTML tags) to inject persistent HTML into the directory listing page. [1][2]

Exploitation

An attacker needs write access to a directory served by the public module (e.g., via file upload or direct write on the server). The attacker creates a file whose name includes, for example, `. When a user requests the directory listing, the public` module renders the file name as-is, causing the embedded script to execute in the user's browser. No authentication other than the ability to place a file is required, but the victim must browse the directory listing. [1][2]

Impact

Successful exploitation results in stored cross-site scripting (XSS) in the context of the directory listing page. The attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or further actions against the application or its users, depending on the site's cookie flags and CSP. [1][2]

Mitigation

Upgrade the public package to version 0.1.4 or later, which contains the fix. [2] The vulnerability is rated moderate severity by GitHub. No workaround is documented if upgrading is not possible; developers should sanitize file names before serving directory listings. [2]