CVE-2017-16162: Directory Traversal in 22lixian
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.67352%
CWE
Published
7/23/2018
Updated
9/11/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
22lixian | npm | <= 1.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper path sanitization when resolving user-supplied URLs to filesystem paths. While the exact code isn't available, the attack pattern (using /../../etc/passwd) and CWE-22 classification indicate the file-serving logic directly uses untrusted input without: 1) normalizing paths, 2) checking for traversal sequences, or 3) validating resolved paths stay within the root directory. This is a common pattern in Node.js file servers when developers use path.join(root, user_input)
without additional checks, or serve files directly from raw URL parameters.