CVE-2020-7687: Directory traversal in fast-http
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.67752%
CWE
Published
7/27/2020
Updated
1/9/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
fast-http | npm | <= 0.1.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The advisory explicitly states the vulnerability occurs at fs.readFile
in index.js
due to missing path sanitization. The function takes user-controlled path input (from HTTP requests) and passes it directly to filesystem operations without validation()
. This matches the classic directory traversal pattern where attacker-controlled paths with '../' sequences can access arbitrary files. Multiple sources (GitHub Advisory, NVD, Snyk) confirm the root cause is unsanitized fs.readFile
usage in this file.