CVE-2019-5447

The http-file-server npm module is a simple static file server. Versions up to and including 0.2.6 contain a path traversal vulnerability that allows an attacker to escape the intended root directory and list files in arbitrary folders. The root cause is insufficient validation of user-supplied paths, enabling directory traversal sequences to be processed without restriction.

An attacker can exploit this by sending crafted HTTP requests containing directory traversal sequences (e.g., ../) to the server. No authentication is required, as the module is typically exposed directly to clients. The attack can be performed remotely if the server is accessible over a network, making it straightforward to execute.

Successful exploitation allows the attacker to list the contents of any directory on the server's filesystem that the process has read access to. This can lead to information disclosure, potentially revealing sensitive files, configuration data, or other resources that should not be publicly accessible.

The vulnerability was fixed in version 0.2.7. Users are strongly advised to upgrade immediately. The issue was reported via HackerOne and is documented in the NVD entry [1].