VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 13, 2023· Updated Mar 21, 2025

CVE-2022-25937

CVE-2022-25937

Description

glance npm package before 3.0.9 allows directory traversal, enabling attackers to read files outside the root directory due to incomplete fix for CVE-2018-3715.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

glance npm package before 3.0.9 allows directory traversal, enabling attackers to read files outside the root directory due to incomplete fix for CVE-2018-3715.

The glance package is a simple HTTP static file server. Versions before 3.0.9 are vulnerable to directory traversal, allowing users to read files outside the public root directory. This vulnerability is related to but distinct from the previously reported CVE-2018-3715 [1]. The root cause is an incomplete fix: the original code used path.normalize and a prefix check (request.fullPath.slice(0, self.dir.length) !== self.dir) that could be bypassed if a directory name starts with the root directory path (e.g., serving public as root, a request to ../public-isprivate/index.html would pass the check because the path begins with public) [2][4].

An attacker can exploit this by sending HTTP requests with ../ sequences to traverse directories. No authentication is required; the server is typically exposed on a local port. The proof-of-concept in [4] demonstrates that while a request to ../private/index.html is correctly denied, a request to ../public-isprivate/index.html (where public-isprivate is a sibling directory) is allowed because the prefix check is insufficient. The attack surface is limited to directories whose names are a superset of the root directory, but this still exposes files that should be restricted.

The impact is that an attacker can read arbitrary files from the server's filesystem that reside in directories with names that are a superset of the configured root directory. This could lead to disclosure of sensitive information such as configuration files, source code, or private data. The vulnerability is fixed in version 3.0.9, which replaces path.normalize with path.resolve and uses path.relative to ensure the resolved path is within the root directory [2].

Users should upgrade to glance version 3.0.9 or later. The package is no longer actively maintained (last published July 2020), so users may consider migrating to alternative static file servers. The fix addresses the bypass and prevents directory traversal attacks.

References
  1. NVD - CVE-2022-25937
  2. Fix path traversal vulnerability · jarofghosts/glance@8cecfe9
  3. Path Traversal in glance@3.0.8

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
glancenpm
< 3.0.93.0.9

Affected products

2

Patches

1
8cecfe90286e

Fix path traversal vulnerability

https://github.com/jarofghosts/glanceJesse KeaneFeb 2, 2023via ghsa
commit
3 files changed · +40 8
  • index.js+6 6 modified
    @@ -24,7 +24,7 @@ function Glance(options) {
   this.port = options.port
   this.hideindex = options.hideindex
   this.indices = options.indices
-  this.dir = path.normalize(options.dir)
+  this.dir = path.resolve(options.dir)
   this.nodot = options.nodot
 
   return this
@@ -72,7 +72,7 @@ Glance.prototype.serveRequest = function Glance$serveRequest(req, res) {
   request.response = res
 
   // prevent traversing directories that are parents of the root
-  if (request.fullPath.slice(0, self.dir.length) !== self.dir) {
+  if (path.relative(self.dir, request.fullPath).startsWith('..')) {
     return self.emit('error', 403, request, res)
   }
 
@@ -193,10 +193,10 @@ function renderPage(title, body, res) {
 
 function errorTitle(errorCode) {
   var mappings = {
-    '404': 'File Not Found',
-    '403': 'Forbidden',
-    '405': 'Method Not Allowed',
-    '500': 'Internal Server Error',
+    404: 'File Not Found',
+    403: 'Forbidden',
+    405: 'Method Not Allowed',
+    500: 'Internal Server Error',
   }
   return mappings[errorCode.toString()]
 }
  • test/glance-test-exploit/secret.txt+1 0 added
    @@ -0,0 +1 @@
+wee
\ No newline at end of file
  • test/index.js+33 2 modified
    @@ -1,4 +1,5 @@
 var http = require('http')
+var net = require('net')
 
 var test = require('tape')
 
@@ -74,8 +75,38 @@ test('403s on dir list if configured', function (t) {
 test('fails if path traversal is attempted', function (t) {
   t.plan(1)
 
-  http.get('http://localhost:1666/../index.js', function (res) {
-    t.notStrictEqual(res.statusCode, 200)
+  var socket = new net.Socket()
+  socket.connect(1666, 'localhost', function () {
+    socket.on('data', function (data) {
+      var result = data.toString().split('\n')[0]
+      t.equals(result.trim(), 'HTTP/1.1 403 Forbidden')
+      socket.end()
+    })
+    socket.write(`GET /../index.js HTTP/1.1
+Host: localhost
+user-agent: test/1.2.3
+accept: */*
+
+`)
+  })
+})
+
+test('fails if path traversal with conveniently-named directory is attempted', function (t) {
+  t.plan(1)
+
+  var socket = new net.Socket()
+  socket.connect(1666, 'localhost', function () {
+    socket.on('data', function (data) {
+      var result = data.toString().split('\n')[0]
+      t.equals(result.trim(), 'HTTP/1.1 403 Forbidden')
+      socket.end()
+    })
+    socket.write(`GET /../glance-test-exploit/secret.txt HTTP/1.1
+Host: localhost
+user-agent: test/1.2.3
+accept: */*
+
+`)
   })
 })

Vulnerability mechanics

Root cause

"Insufficient validation of requested file paths allows directory traversal outside the public root directory."

Attack vector

An attacker can trigger this vulnerability by sending a crafted HTTP GET request containing directory traversal sequences (e.g., `../`) in the URL path. This allows the attacker to access files outside the intended public root directory [patch_id=23654]. The vulnerability is distinct from [CVE-2018-3715].

Affected code

The vulnerability exists in `index.js` within the `Glance` constructor and the `serveRequest` method. The patch modifies how the root directory is resolved and how path traversal is validated [patch_id=23654].

What the fix does

The patch updates the `Glance` constructor to use `path.resolve()` instead of `path.normalize()` to ensure the root directory is an absolute path [patch_id=23654]. It also updates the `serveRequest` method to use `path.relative()` to check if the requested path starts with `..`, which correctly identifies and blocks attempts to traverse outside the configured root directory [patch_id=23654].

Preconditions

  • configThe application must be running a version of glance before 3.0.9.

Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.