Miggo Logo

CVE-2017-16162: Directory Traversal in 22lixian

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.67352%
Published
7/23/2018
Updated
9/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
22lixiannpm<= 1.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path sanitization when resolving user-supplied URLs to filesystem paths. While the exact code isn't available, the attack pattern (using /../../etc/passwd) and CWE-22 classification indicate the file-serving logic directly uses untrusted input without: 1) normalizing paths, 2) checking for traversal sequences, or 3) validating resolved paths stay within the root directory. This is a common pattern in Node.js file servers when developers use path.join(root, user_input) without additional checks, or serve files directly from raw URL parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `**lixi*n` r*solv* r*l*tiv* *il* p*t*s, r*sultin* in * *ir**tory tr*v*rs*l vuln*r**ility. * m*li*ious **tor **n us* t*is vuln*r**ility to ****ss *il*s outsi** o* t** int*n*** *ir**tory root, w*i** m*y r*sult in t** *is*losur* o*

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* s*nitiz*tion w**n r*solvin* us*r-suppli** URLs to *il*syst*m p*t*s. W*il* t** *x**t *o** isn't *v*il**l*, t** *tt**k p*tt*rn (usin* /../../*t*/p*ssw*) *n* *W*-** *l*ssi*i**tion in*i**t* t** *il*-s*rvin* lo*i