-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the code shown in server.js lines 111-114 (as referenced in the PoC), where req.url is decoded and passed to path.join() without proper sanitization. The path.join() operation with user-controlled input enables directory traversal when combined with Node.js path resolution behavior. The proof of concept demonstrates this by accessing ../../package.json, confirming the lack of path containment checks. The primary vulnerable code path is the GET request handler that processes URLs and resolves file paths.
JavaScriptJavaScript| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| serve-lite | npm | <= 1.1.0 |
Ongoing coverage of React2Shell