CVE-2017-16018: Cross-Site Scripting (XSS) in restify
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45009%
CWE
Published
11/9/2018
Updated
9/12/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
restify | npm | >= 2.0.0, <= 4.0.4 | 4.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how restify's router handles non-existent URLs. The key change in commit a015067 shows:
- In lib/router.js, the original error response construction used raw req.url containing query parameters
- The patched version explicitly extracts pathname via url.parse() to remove dangerous query components
- The Router.prototype.find method is the execution path that processes unmatched routes and generates 404 responses
- At runtime, this function would appear in stack traces when handling malicious requests to non-existent endpoints
- The vulnerable version passes user-controlled req.url directly to error message formatting without sanitization