CVE-2017-16142: Directory Traversal in infraserver
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.67323%
CWE
Published
7/23/2018
Updated
9/13/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
infraserver | npm | <= 0.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly involves improper path resolution during HTTP request handling. The attack example demonstrates that raw user input (URL path segments like '/../../../../etc/passwd') is used to construct filesystem paths. This indicates the absence of: 1) path normalization to collapse '../' sequences, 2) validation against the intended root directory, and 3) security wrappers like express.static's safe defaults. While the exact implementation details of 'infraserver' are unavailable, the vulnerability pattern strongly implicates the core request-handling logic as the root cause.