CVE-2019-5457

Vulnerability

Description

CVE-2019-5457 is a cross-site scripting (XSS) vulnerability present in all versions of min-http-server. The root cause is improper neutralization of user-controllable data stored in files on the server, which when served to users is interpreted as executable script content. The official description indicates that an attacker with access to the server's file system can inject arbitrary JavaScript code that will execute in the browser of any user viewing the served content [1].

Exploitation

Prerequisites

Exploitation of this XSS requires that the attacker has write access to the server's file system, allowing them to modify or create files that are later served via the min-http-server. The attack is performed by placing malicious script content into a file accessible through the server. When a victim's browser requests that file, the injected script executes within the security context of the origin domain, bypassing same-origin policy restrictions [1].

Impact

An attacker who successfully exploits this vulnerability gains the ability to execute arbitrary JavaScript in the context of the victim's session with the min-http-server. This can lead to session hijacking, theft of cookies or authentication tokens, redirection to malicious sites, or defacement of served web pages. Because the vulnerability exists in all versions of min-http-server, the user base is broadly affected [1].

Mitigation

Status

As of the publication date (2019-07-30), no patched version of min-http-server has been released. The advisory from HackerOne (report #570568) confirms the issue but does not indicate a fix or workaround. Users should consider switching to an alternative, actively maintained HTTP server package to avoid exposure to this persistent XSS risk.