CVE-2022-25936

Vulnerability

Overview

The servst package, a simple HTTP file server for Node.js, is vulnerable to Directory Traversal in versions prior to 2.0.3 [1]. The root cause is improper sanitization of the filePath variable, which allows an attacker to bypass path restrictions using sequences like ../ and their URL-encoded variants [2].

Exploitation

Details

The vulnerability lies in the path normalization logic in the index.js file. Although the code decodes the URI and normalizes the path, it only checks if the filePath starts with the root path using indexOf. This check can be circumvented because a path like /../public-isprivate/index.html does not start with the root prefix after normalization, leading to incorrect access control [3]. The attack requires no authentication and can be executed over HTTP if the servst server is exposed to the network.

Impact

An unauthenticated attacker can read arbitrary files on the server filesystem, including application source code, configuration files, and other sensitive data [2]. The directory traversal can also potentially be used to list directory contents, leading to information disclosure [3].

Mitigation

The vulnerability has been patched in version 2.0.3. Users should upgrade to this version or later [1]. There is no known workaround. As of publication, the package has limited usage and is no longer actively maintained [3].