CVE-2018-3809: Information Exposure on Case Insensitive File Systems in serve
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.44873%
CWE
Published
7/18/2018
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
serve | npm | < 7.0.0 | 7.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from case-sensitive handling of ignored files. The security patch removed the core request handling logic in lib/server.js
and directory rendering in lib/render.js
, replacing them with serve-handler
which properly handles case insensitivity. The removed serverHandler
function contained the vulnerable ignore check using 'ignoredFiles.every(item => !decodeURIComponent(pathname).includes(item))' which performed case-sensitive matching. The renderDirectory
function in render.js
generated directory listings without case normalization, potentially exposing ignored files through case variations on case-insensitive filesystems.