CVE-2019-5422

Vulnerability

The buttle npm package version 0.2.0 is vulnerable to cross-site scripting (XSS) due to missing Content-Type headers when serving static files. An attacker who can create an arbitrary file on the server (e.g., via a write vulnerability or misconfigured upload) can craft an HTML file containing malicious JavaScript. When a victim accesses this file via the buttle server, the browser interprets and executes the script. This issue is documented in the GitHub Advisory [2].

Exploitation

To exploit this vulnerability, the attacker must have the ability to write a file to the server's file system where buttle serves static content. The attacker uploads or creates an HTML file with embedded JavaScript (e.g., `). When a victim visits the corresponding URL, the server serves the file without a restrictive Content-Type` header, causing the browser to render it as HTML and execute the script. No user interaction beyond visiting the URL is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, credential harvesting, defacement, or redirection to malicious sites. The attack compromises the confidentiality and integrity of the victim's interaction with the web application.

Mitigation

As of the advisory publication (April 2019), no official patch has been released for buttle version 0.2.0. The package appears to be unmaintained. Users are advised to avoid using buttle or replace it with an alternative static file server that properly sets content security headers. If migration is not immediately possible, a reverse proxy can be configured to add Content-Type headers or restrict file serving to non-HTML types.