7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16101

GHSA ID

GHSA-2f29-pmpx-vj62

EPSS Score

0.67352%

CWE

CWE-22

Published

9/1/2020

Updated

9/7/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16101

CVE-2017-16101: Directory Traversal in serverwg

serverwg is a simple http server.

serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Example request:

GET /../../../../../../../../../../etc/passwd HTTP/1.1
host:foo

and response:

HTTP/1.1 200 OK
Date: Wed, 17 May 2017 22:52:08 GMT
Connection: keep-alive

{contents of /etc/passwd}

Recommendation

No patch is available for this vulnerability.

It is recommended that the package is only used for local development, and if the functionality is needed for production, a different package is used instead.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16101

GHSA ID

GHSA-2f29-pmpx-vj62

EPSS Score

0.67352%

CWE

CWE-22

Published

9/1/2020

Updated

9/7/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
serverwg	npm	>= 0.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

While the exact code isn't available, the vulnerability pattern strongly indicates: 1) A file-serving function directly uses unsanitized URL paths 2) Absence of path normalization (via methods like path.resolve() in Node.js) 3) Lack of containment checks to prevent escaping the web root. This is a classic directory traversal vulnerability pattern in simple HTTP servers that map URLs directly to filesystem paths without proper sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`s*rv*rw*` is * simpl* *ttp s*rv*r. `s*rv*rw*` is vuln*r**l* to * *ir**tory tr*v*rs*l issu*, *ivin* *n *tt**k*r ****ss to t** *il*syst*m *y pl**in* "../" in t** URL. ***x*mpl* r*qu*st:** ```*ttp **T /../../../../../../../../../../*t*/p*ssw* *TTP/*.

Reasoning

W*il* t** *x**t *o** isn't *v*il**l*, t** vuln*r**ility p*tt*rn stron*ly in*i**t*s: *) * *il*-s*rvin* `*un*tion` *ir**tly us*s uns*nitiz** URL p*t*s *) **s*n** o* p*t* norm*liz*tion (vi* m*t*o*s lik* `p*t*.r*solv*()` in `No**.js`) *) L**k o* *ont*inm

7.5

Basic Information

Concerned about an active attack path?

CVE-2017-16101: Directory Traversal in serverwg

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI