7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16159

GHSA ID

GHSA-2958-5r4r-wvv6

EPSS Score

0.67352%

CWE

CWE-22

Published

9/1/2020

Updated

9/13/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16159

CVE-2017-16159: Directory Traversal in caolilinode

Affected versions of caolilinode resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.

Example request:

GET /../../../../../../../../../../etc/passwd HTTP/1.1
host:foo

Recommendation

No patch is available for this vulnerability.

It is recommended that the package is only used for local development, and if the functionality is needed for production, a different package is used instead.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16159

GHSA ID

GHSA-2958-5r4r-wvv6

EPSS Score

0.67352%

CWE

CWE-22

Published

9/1/2020

Updated

9/13/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
caolilinode	npm	>= 0.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information does not include concrete code snippets, commit diffs, or explicit references to specific functions in the caolilinode package. While the vulnerability is clearly described (directory traversal via improper path resolution), the lack of access to the actual implementation details (e.g., HTTP request handlers, file path resolution logic) makes it impossible to identify specific vulnerable functions with high confidence. The root cause likely resides in functions that process user-supplied URLs and resolve filesystem paths without proper sanitization, but no explicit function names or file paths are disclosed in the available data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `**olilino**` r*solv* r*l*tiv* *il* p*t*s, r*sultin* in * *ir**tory tr*v*rs*l vuln*r**ility. * m*li*ious **tor **n us* t*is vuln*r**ility to ****ss *il*s outsi** o* t** int*n*** *ir**tory root, w*i** m*y r*sult in t** *is*losur*

Reasoning

T** provi*** vuln*r**ility in*orm*tion *o*s not in*lu** *on*r*t* *o** snipp*ts, *ommit *i**s, or *xpli*it r***r*n**s to sp**i*i* *un*tions in t** `**olilino**` p**k***. W*il* t** vuln*r**ility is *l**rly **s*ri*** (*ir**tory tr*v*rs*l vi* improp*r p*

7.5

Basic Information

Concerned about an active attack path?

CVE-2017-16159: Directory Traversal in caolilinode

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI