7.5

CVSS Score

Basic Information

CVE ID

CVE-2014-6394

GHSA ID

GHSA-xwg4-93c6-3h42

EPSS Score

0.89047%

CWE

CWE-22

Published

10/24/2017

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-6394

CVE-2014-6394: Directory Traversal in send

Versions 0.8.3 and earlier of send are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory.

For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

Recommendation

Update to version 0.8.4 or later.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2014-6394

GHSA ID

GHSA-xwg4-93c6-3h42

EPSS Score

0.89047%

CWE

CWE-22

Published

10/24/2017

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
send	npm	< 0.8.4	0.8.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how root path normalization and comparison were handled in SendStream's pipe method. The original code normalized the root without a trailing separator (normalize(root)), then checked if the requested path started with this root. This allowed paths like '/public-restricted' to match '/public' due to partial prefix matching. The fix adds a trailing separator to the root during normalization (normalize(root + sep)), ensuring exact directory boundary matching. The code changes in lib/send.js and associated test cases in the commit confirm this was the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions *.*.* *n* **rli*r o* `s*n*` *r* *****t** *y * *ir**tory tr*v*rs*l vuln*r**ility. W**n r*lyin* on t** root option to r*stri*t *il* ****ss it m*y ** possi*l* *or *n *ppli**tion *onsum*r to *s**p* out o* t** r*stri*t** *ir**tory *n* ****ss *il*

Reasoning

T** vuln*r**ility st*ms *rom *ow root p*t* norm*liz*tion *n* *omp*rison w*r* **n*l** in S*n*Str**m's `pip*` m*t*o*. T** ori*in*l *o** norm*liz** t** root wit*out * tr*ilin* s*p*r*tor (`norm*liz*(root)`), t**n ****k** i* t** r*qu*st** p*t* st*rt** wit

7.5

Basic Information

Concerned about an active attack path?

CVE-2014-6394: Directory Traversal in send

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI