VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 25, 2023· Updated Apr 1, 2025

CVE-2022-25847

CVE-2022-25847

Description

All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
serve-litenpm
<= 1.1.0

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing output encoding of file names when rendering a directory listing page allows injection of arbitrary HTML and JavaScript."

Attack vector

An attacker creates a file whose name contains an XSS payload (e.g., `>

Affected code

The vulnerability is in `server.js` at lines 127–132 [ref_id=2]. When the server detects a request to a directory, it iterates over the file list and writes each file name directly into an HTML anchor element without any sanitization or output encoding: `res.write(\`[${type}]

What the fix does

The advisory [ref_id=1] states that upgrading serve-lite to version 1.1.2 or higher fixes the vulnerability. No patch diff is included in the bundle, but the remediation is to sanitize or encode file names before inserting them into the HTML response, preventing the browser from interpreting malicious characters as markup.

Preconditions

  • inputThe attacker must be able to create a file with an arbitrary name (containing HTML/JavaScript) in a directory served by the vulnerable server.
  • networkThe server must be running and accessible over the network.
  • networkThe victim must browse to the directory listing URL served by the vulnerable instance.

Reproduction

1. Install serve-lite version 1.1.0: `npm install --save lite-dev-server@1.1.0` [ref_id=1][ref_id=2]. 2. Create a `public/` directory with files. 3. Add a file with an XSS payload in its name: `touch '>

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.