6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16224

GHSA ID

GHSA-72fg-jqhx-c68p

EPSS Score

0.44225%

CWE

CWE-601

Published

8/6/2018

Updated

9/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16224

CVE-2017-16224: Open Redirect in st

st is a module for serving static files.

An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain.

A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used.

Mitigating factor:

In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").

Code example (provided by Xin Gao):

[example.js]

var st = require('st') 
var http = require('http') 
http.createServer(st(process.cwd())).listen(1337)

$ curl -v http://localhost:1337//cve.mitre.com/%2e%2e
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 1337 (#0)
> GET //cve.mitre.com/%2e%2e HTTP/1.1
> Host: localhost:1337
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< cache-control: public, max-age=600
< last-modified: Fri, 13 Oct 2017 22:56:33 GMT
< etag: "16777220-46488904-1507935393000"
< location: //cve.mitre.com/%2e%2e/
< Date: Fri, 13 Oct 2017 22:56:41 GMT
< Connection: keep-alive
< Content-Length: 30
<
* Connection #0 to host localhost left intact

Recommendation

Update to version 1.2.2 or later.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16224

GHSA ID

GHSA-72fg-jqhx-c68p

EPSS Score

0.44225%

CWE

CWE-601

Published

8/6/2018

Updated

9/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
st	npm	<= 1.2.1	1.2.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions:

getPath directly processed user-supplied paths using path.join() without sufficient validation for encoded traversals. The patch shows this was replaced with getUriPath containing improved regex checks (/(/|\|^)..?(/|\|$)/).
serve initially parsed the URL path without validation. The patch shows it was modified to use getUriPath first. In vulnerable versions, these functions would appear in stack traces when processing malicious //domain/%2e%2e requests:

serve() would handle the incoming request
getPath() would process the untrusted path Together they allowed crafting Location headers with external domains due to insufficient path normalization and validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

st is * mo*ul* *or s*rvin* st*ti* *il*s. *n *tt**k*r is **l* to *r**t * r*qu*st t**t r*sults in *n `*TTP ***` (r**ir**t) to *n *ntir*ly *i***r*nt *om*in. * r*qu*st *or: `*ttp://som*.s*rv*r.*om//no**s**urity.or*/%**%**` woul* r*sult in * *** to `//

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *. **tP*t* *ir**tly pro**ss** us*r-suppli** p*t*s usin* p*t*.join() wit*out su**i*i*nt v*li**tion *or *n*o*** tr*v*rs*ls. T** p*t** s*ows t*is w*s r*pl**** wit* **tUriP*t* *ont*inin* improv** r***x ****

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-16224: Open Redirect in st

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI