7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16185

GHSA ID

GHSA-pm44-7gw9-6g8p

EPSS Score

0.67352%

CWE

CWE-22

Published

9/1/2020

Updated

9/12/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16185

CVE-2017-16185:
Directory Traversal in uekw1511server

Affected versions of uekw1511server resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.

Example request:

GET /../../../../../../../../../../etc/passwd HTTP/1.1
host:foo

Recommendation

No patch is available for this vulnerability.

It is recommended that the package is only used for local development, and if the functionality is needed for production, a different package is used instead.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16185

GHSA ID

GHSA-pm44-7gw9-6g8p

EPSS Score

0.67352%

CWE

CWE-22

Published

9/1/2020

Updated

9/12/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
uekw1511server	npm	>= 0.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path sanitization when handling user-supplied URLs. The server likely uses a function that directly maps URL paths to filesystem paths using raw input (e.g., via path.join or string concatenation) without validation. This matches the observed exploit pattern where '../' sequences bypass directory restrictions. While the exact implementation details aren't provided, the described vulnerability pattern strongly indicates a flawed request handling function common in static file servers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `u*kw****s*rv*r` r*solv* r*l*tiv* *il* p*t*s, r*sultin* in * *ir**tory tr*v*rs*l vuln*r**ility. * m*li*ious **tor **n us* t*is vuln*r**ility to ****ss *il*s outsi** o* t** int*n*** *ir**tory root, w*i** m*y r*sult in t** *is*losu

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* s*nitiz*tion w**n **n*lin* us*r-suppli** URLs. T** s*rv*r lik*ly us*s * *un*tion t**t *ir**tly m*ps URL p*t*s to *il*syst*m p*t*s usin* r*w input (*.*., vi* `p*t*.join` or strin* *on**t*n*tion) wit*out v*li*

7.5

Basic Information

Concerned about an active attack path?

CVE-2017-16185: Directory Traversal in uekw1511server

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-16185:
Directory Traversal in uekw1511server

Vulnerability Intelligence
Miggo AI