5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16109

GHSA ID

GHSA-8h55-49jm-739x

EPSS Score

0.41533%

CWE

CWE-22

Published

8/29/2018

Updated

9/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16109

CVE-2017-16109: Directory Traversal in easyquick

Affected versions of easyquick resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.

Example request:

GET /../../../../../../../../../../etc/passwd HTTP/1.1
host:foo

Recommendation

No patch is available for this vulnerability.

It is recommended that the package is only used for local development, and if the functionality is needed for production, a different package is used instead.

(GitHub Advisory)

5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16109

GHSA ID

GHSA-8h55-49jm-739x

EPSS Score

0.41533%

CWE

CWE-22

Published

8/29/2018

Updated

9/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
easyquick	npm	<= 0.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

While no specific code is available, directory traversal vulnerabilities in Node.js servers typically stem from: 1) Unsanitized user input being used directly in filesystem operations 2) Lack of path normalization before file access. The vulnerability pattern matches classic cases where user-supplied paths (from req.url) are joined with a base directory without proper validation. The high confidence comes from the consistent vulnerability description across multiple sources and the well-understood nature of this vulnerability pattern in web servers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `**syqui*k` r*solv* r*l*tiv* *il* p*t*s, r*sultin* in * *ir**tory tr*v*rs*l vuln*r**ility. * m*li*ious **tor **n us* t*is vuln*r**ility to ****ss *il*s outsi** o* t** int*n*** *ir**tory root, w*i** m*y r*sult in t** *is*losur* o*

Reasoning

W*il* no sp**i*i* *o** is *v*il**l*, *ir**tory tr*v*rs*l vuln*r**iliti*s in `No**.js` s*rv*rs typi**lly st*m *rom: *) Uns*nitiz** us*r input **in* us** *ir**tly in *il*syst*m op*r*tions *) L**k o* p*t* norm*liz*tion ***or* *il* ****ss. T** vuln*r**il

5.3

Basic Information

Concerned about an active attack path?

CVE-2017-16109: Directory Traversal in easyquick

Recommendation

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI