6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16018

GHSA ID

GHSA-qw3g-35hc-fcrh

EPSS Score

0.45009%

CWE

CWE-79

Published

11/9/2018

Updated

9/12/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16018

CVE-2017-16018: Cross-Site Scripting (XSS) in restify

Affected versions of restify are susceptible to a cross-site scripting vulnerability when using URL encoded script tags in a non-existent URL.

Proof of Concept:

Request

https://localhost:3000/no5_such3_file7.pl?%22%3E%3Cscript%3Ealert(73541);%3C/script%3E

Will be included in response:

<script>alert(73541);</script>

Recommendation

Update to version 4.1.0 or later.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16018

GHSA ID

GHSA-qw3g-35hc-fcrh

EPSS Score

0.45009%

CWE

CWE-79

Published

11/9/2018

Updated

9/12/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
restify	npm	>= 2.0.0, <= 4.0.4	4.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how restify's router handles non-existent URLs. The key change in commit a015067 shows:

In lib/router.js, the original error response construction used raw req.url containing query parameters
The patched version explicitly extracts pathname via url.parse() to remove dangerous query components
The Router.prototype.find method is the execution path that processes unmatched routes and generates 404 responses
At runtime, this function would appear in stack traces when handling malicious requests to non-existent endpoints
The vulnerable version passes user-controlled req.url directly to error message formatting without sanitization

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `r*sti*y` *r* sus**pti*l* to * *ross-sit* s*riptin* vuln*r**ility w**n usin* URL *n*o*** s*ript t**s in * non-*xist*nt URL. ## Proo* o* *on**pt: R*qu*st ``` *ttps://lo**l*ost:****/no*_su***_*il**.pl?%**%**%**s*ript%***l*rt(****

Reasoning

T** vuln*r**ility st*ms *rom *ow r*sti*y's rout*r **n*l*s non-*xist*nt URLs. T** k*y ***n** in *ommit ******* s*ows: *. In li*/rout*r.js, t** ori*in*l *rror r*spons* *onstru*tion us** r*w r*q.url *ont*inin* qu*ry p*r*m*t*rs *. T** p*t**** v*rsion *xp

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-16018: Cross-Site Scripting (XSS) in restify

Proof of Concept:

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI