CVE-2014-6394: Directory Traversal in send
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.89047%
CWE
Published
10/24/2017
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
send | npm | < 0.8.4 | 0.8.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how root path normalization and comparison were handled in SendStream's pipe
method. The original code normalized the root without a trailing separator (normalize(root)
), then checked if the requested path started with this root. This allowed paths like '/public-restricted' to match '/public' due to partial prefix matching. The fix adds a trailing separator to the root during normalization (normalize(root + sep)
), ensuring exact directory boundary matching. The code changes in lib/send.js
and associated test cases in the commit confirm this was the vulnerable function.