CVE-2022-21192

An attacker sends an HTTP GET request to the server with a URL containing `../` sequences, such as `curl --path-as-is "http://localhost:3000/../package.json"` [ref_id=1][ref_id=2]. Because the `req.url` is passed as-is to `path.join()` without sanitization, the path traversal sequences resolve to files outside the intended static root directory [CWE-22][ref_id=1]. The server then reads and returns the contents of the traversed file to the attacker [ref_id=2].

The vulnerability resides in `server.js` at lines 111–114 and 140–145 [ref_id=2]. The `decodeURIComponent(req.url)` is stripped of its leading `/` and passed directly to `path.join(root, filename)` without any sanitization, and the resulting path is then used in `fs.createReadStream(file).pipe(res)` to serve the file [ref_id=2].

The advisory states that upgrading serve-lite to version 1.1.1 or higher fixes the vulnerability [ref_id=1]. No patch diff is provided in the bundle, but the remediation guidance is to upgrade the package. The fix presumably adds input sanitization or validation to the `req.url` before it is used in `path.join()`, preventing directory traversal sequences from escaping the static root directory.

1. Install the vulnerable version: `npm install --save serve-lite@1.1.0` [ref_id=1][ref_id=2]. 2. Ensure a `public/` directory with files exists alongside `server.js` and `package.json` [ref_id=1][ref_id=2]. 3. Start the server: `node server.js 3000 public/` [ref_id=1][ref_id=2]. 4. Send a path traversal request: `curl --path-as-is "http://localhost:3000/../package.json"` and observe the contents of `package.json` returned in the response [ref_id=1][ref_id=2].