Miggo Logo

CVE-2020-7687: Directory traversal in fast-http

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.67752%
Published
7/27/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
fast-httpnpm<= 0.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly states the vulnerability occurs at fs.readFile in index.js due to missing path sanitization. The function takes user-controlled path input (from HTTP requests) and passes it directly to filesystem operations without validation(). This matches the classic directory traversal pattern where attacker-controlled paths with '../' sequences can access arbitrary files. Multiple sources (GitHub Advisory, NVD, Snyk) confirm the root cause is unsanitized fs.readFile usage in this file.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** **st-*ttp. T**r* is no p*t* s*nitiz*tion in t** p*t* provi*** *t *s.r****il* in in**x.js.

Reasoning

T** **visory *xpli*itly st*t*s t** vuln*r**ility o**urs *t `*s.r****il*` in `in**x.js` *u* to missin* p*t* s*nitiz*tion. T** *un*tion t*k*s us*r-*ontroll** p*t* input (*rom *TTP r*qu*sts) *n* p*ss*s it *ir**tly to *il*syst*m op*r*tions wit*out `v*li*